JP2023034432A - Vehicle control device - Google Patents

Abstract

[Problem] To improve the reliability of a control system by determining whether or not a microcomputer abnormality monitoring device itself is functioning normally. [Solution] When a microcomputer is started in a cold start, a vehicle control device writes a keyword to a backup RAM 11a2 that retains stored contents while power is being supplied, and then suspends the transmission of a watchdog reset signal to a watchdog timer circuit 12. When the timer counter value overflows and the microcomputer 11 is restarted (warm start), the device determines whether or not a keyword is stored in the backup RAM 11a2, and if the keyword is stored, determines that the watchdog timer circuit 12 is functioning normally, and transitions to a control program related to the vehicle. [Selected Figure] Figure 2

Description

The present invention relates to a vehicle controller having a microcomputer abnormality monitoring mechanism.

2. Description of the Related Art Conventionally, an abnormality monitoring device for monitoring an abnormality is provided in a microcomputer (microcomputer) that manages various vehicle controls. For example, the electronic control device described in Patent Document 1 includes a microcomputer having a high-speed mode, which is an active state, and a low power consumption mode, which is a stopped state, as control modes, and prevents the microcomputer from running out of control. The monitoring device consists of a runaway monitoring circuit provided outside the microcomputer and a watchdog timer circuit provided inside the microcomputer. Either the runaway monitoring circuit or the watchdog timer circuit detects the runaway of the microcomputer according to the control state of the microcomputer, thereby enabling reliable detection.

JP 2008-152678 A

In the runaway monitoring device described in Patent Document 1, when a runaway of a microcomputer is detected, a reset signal is sent to the microcomputer, and the microcomputer that receives the signal performs reset processing to restore normal operation. Situations are also conceivable in which the safety mechanism itself, such as the device, fails. In the electronic control device described in Patent Document 1, the reset processing by the runaway monitoring device operates only when an abnormality occurs in the microcomputer. It is not possible to determine whether the device functions normally. Therefore, even if a runaway monitoring device is provided, if the safety mechanism itself fails, it may not be possible to detect an abnormal state of the microcomputer and prevent the system from shifting to a safe state.

SUMMARY OF THE INVENTION The present invention has been made in view of the above-described problems, and provides a vehicle control apparatus that includes an abnormality monitoring device that monitors the state of a microcomputer. An object of the present invention is to improve the reliability of the control system.

To achieve the above object, a vehicle control device according to the present invention includes a microcomputer, and monitoring the operation of the microcomputer and stopping or resetting the microcomputer when the operation of the microcomputer is abnormal. a memory for holding stored data when electricity is supplied from a battery of the vehicle; writing means for writing information; transmission control means for controlling transmission of the abnormality detection signal to the abnormality monitoring device; and the abnormality monitoring device receiving the abnormality detection signal for a predetermined time. a reset means for resetting and warm-starting the microcomputer if not, and if the warm-start is performed, whether or not the predetermined identification information written in the memory by the writing means is stored in the memory. and the transmission control means, after the writing means writes the predetermined identification information based on the cold start, the abnormality detection is continued until at least the predetermined time elapses. After the transmission control means interrupts the transmission of the abnormality detection signal, the microcomputer stores the predetermined identification information in the memory by the determination means during the warm start. When it is determined that the information is stored, it is determined that the abnormality monitoring device functions normally (claim 1).

Further, after it is determined that the predetermined identification information is stored in the memory by the determination means, the predetermined identification information is cleared, and the writing means is operated after the predetermined information is cleared. when the restart of the microcomputer is a warm start, if the determination means determines that the predetermined identification information is not stored in the memory, write the predetermined identification information in the memory; Based on the writing, transmission of the abnormality detection signal by the transmission control means may be interrupted until at least the predetermined time period is exceeded (Claim 2).

Further, the microcomputer may start executing a program relating to vehicle control when it determines that the abnormality monitoring device is functioning normally.

According to the invention of claim 1, when the microcomputer is cold-started, the predetermined identification information is written in the memory, and the abnormality detection signal is not transmitted to the abnormality monitoring device until at least the predetermined time elapses. interrupted. Therefore, when the abnormality monitoring device is functioning normally, the microcomputer is reset after the predetermined time has passed after the cold start, and the warm start is performed. In the case of a warm start, the predetermined identification information written in the memory is retained because the start is performed while electricity is supplied from the battery. Therefore, when it is determined by the determination means that the predetermined identification information is stored, it means that the reset is performed by the reset means based on the interruption of the transmission of the abnormality detection signal after the cold start, and the abnormality is detected. It can be determined that the monitoring device is functioning normally. In this manner, the microcomputer is configured to be able to determine whether or not the abnormality monitoring device is functioning normally, so the reliability of the control system can be enhanced.

According to the invention of claim 2, even if the next startup is a warm start, it is possible to confirm whether or not the abnormality monitoring device is functioning normally. It is possible to check whether the abnormality monitoring device is functioning normally.

According to the third aspect of the invention, unless the microcomputer determines that the abnormality monitoring device is functioning normally, the vehicle control program does not start, thereby further improving the reliability of the control system.

1 is a block diagram showing the configuration of a main part of a vehicle in which a vehicle control device according to an embodiment of the invention is mounted; FIG. 4 is a flow chart showing the flow of startup processing when the microcomputer is started.

A vehicle control device according to an embodiment of the present invention will be described with reference to FIGS. 1 and 2. FIG. 1 is a block diagram of a vehicle control apparatus according to an embodiment of the present invention, and FIG. 2 is a flow chart showing the flow of start-up processing.

<Electrical Configuration of Vehicle>
A vehicle control device 2 according to one embodiment of the present invention is provided in a vehicle 1 and performs various vehicle controls. ECU (A), ECU (B), and ECU (C) that are different from each other.

The ECU 5 and other ECUs 8, 9 and 10 are configured to be able to communicate with each other via a CAN 7 (Controller Area Network).

The ECU 5 executes vehicle-related control such as operation control of the actuator 6. The ECU 5 includes a microcomputer 11 (hereinafter sometimes referred to as the microcomputer 11), a watchdog timer circuit 12 (an "abnormality monitoring device" of the present invention). ). The actuator 6 is composed of, for example, a motor or a solenoid that is installed in various in-vehicle devices such as a water pump and a brake device.

The microcomputer 11 includes a memory 11a (main RAM 11a1, backup RAM 11a2, ROM 11a3) that stores control programs and various data necessary for control, a CPU 11b that performs various calculations and controls, and a watchdog timer circuit 12, which will be described later. and an I/O port 11c for connecting to the outside of the. The I/O port 11c is composed of an external terminal or an input/output circuit.

The memory 11a includes, for example, a main RAM 11a1, a backup RAM 11a2, and a ROM 11a3. In this embodiment, the backup RAM 11a2 (corresponding to "memory" of the present invention) is, for example, a volatile memory such as SRAM or DRAM. In this embodiment, in the reset process, the definition value (keyword: equivalent to "predetermined identification information" of the present invention) used for determining whether the watchdog timer circuit 12 is functioning normally is stored in the backup RAM 11a2. stored in Definition values (keywords) will be described later.

The backup RAM 11a2 retains the memory contents while the voltage is supplied from the battery 3 from the constant power supply line 40b, which will be described later, and therefore retains the memory contents in the case of a warm start. On the other hand, the contents of the main RAM 11a1 are undefined in both cold start and warm start. The ROM 11a3 also stores various programs controlled by the microcomputer 11 (start-up processing program, vehicle-related control program).

The CPU 11b performs various calculations and controls, and also controls transmission of a watchdog reset signal to be transmitted to the watchdog timer circuit 12 via the I/O port 11c.
In addition, in the process of startup processing (reset processing), the CPU 11b initializes (clears) the memory 11a (steps S2 and S7 in FIG. 2), and reads and writes data in the keyword storage area of the backup RAM 11a2 normally. It is checked whether or not it can be performed (step S3 in FIG. 2). Further, the CPU 11b determines whether or not the value of the keyword storage area is a defined value (keyword) (step S4 in FIG. 2). At the same time, if the value in the keyword storage area is not the defined value (keyword), the defined value (keyword) is written in the keyword storage area (step S5 in FIG. 2).

The keyword save area is set at a predetermined address in the backup RAM 11a2. Also, the definition value is a predetermined value (for example, "AA55AA55") and can be changed as appropriate. Here, the CPU 11b corresponds to the "writing means", the "transmission control means", the "reset means", and the "determining means" of the present invention.

To explain the transmission control of the CPU 11b in detail, the CPU 11b basically sends a watchdog reset signal ( corresponding to the "abnormality detection signal" of the present invention). The cycle is a set time determined as a threshold value of the counter value of the timer counter 12a of the watchdog timer circuit 12 (the time when the threshold overflows and the reset signal to the microcomputer 11 is output: the "predetermined time" of the present invention). equivalent) can be set as appropriate within a shorter range.

However, even when the voltage from the battery 3 is being supplied to the microcomputer 11, the CPU 11b waits for a specified period of time after writing the keyword to the keyword storage area of the backup RAM 11a2 in the process of resetting the microcomputer 11. suspends the transmission of the watchdog reset signal. The prescribed time is longer than the set time set in the timer counter 12 a of the watchdog timer circuit 12 . Therefore, if the watchdog timer circuit 12 is functioning normally, after the keyword is written in the backup RAM 11a2, the microcomputer 11 is reset (forced reset) based on the interruption of transmission of the watchdog reset signal. become.

The watchdog reset signal is a signal for resetting the timer counter 12 a of the watchdog timer circuit 12 . The interruption (intentional interruption) of the transmission of the watchdog reset signal is canceled when the process returns to the startup process after step S6, which will be described later (at the point of return). In addition, in the startup process, there are a plurality of processes being executed other than the process of writing the keyword in the backup RAM 11a2 as described above. It has become. Further, during the execution of the control program, the timer counter 12a is cleared at regular intervals so that it is not reset (forcibly reset) due to the above intentional interruption.

The watchdog timer circuit 12 has, for example, a timer counter 12a and a reset signal output circuit 12b. The timer counter 12a counts (counts up) the time until a predetermined set time. Clear the counter value.

The reset signal output circuit 12b transmits a reset signal to the microcomputer 11 when the count value of the timer counter 12a exceeds a set value (set time) (when it overflows). In the process of resetting the microcomputer 11, after the keyword is written in the backup RAM 11a2, transmission of the watchdog reset signal is interrupted for a period longer than the set time (the specified time). 12 is functioning normally, a reset signal is output from the reset signal output circuit 12b to the microcomputer 11, and the microcomputer 11 is reset again.

The ignition switch 4 is a device for starting the engine and controlling various electric systems, and has one end connected to the battery 3 and the other end connected to the microcomputer 11 . Therefore, when the ignition switch 4 is set to ON, voltage is supplied to the microcomputer 11 . A power line (power line 40a in FIG. 1) passing through the ignition switch 4 is a main power supply line used for executing various control programs of each device. On the other hand, the power supply line (power supply line 40b in FIG. 1), which has one end connected to the battery 3 and the other end connected to the microcomputer 11 without going through the ignition switch 4, constantly supplies power (electricity) to the backup RAM 11a2, This is a constant power supply line for holding the stored contents in the backup RAM 11a2. Therefore, even if the ignition switch 4 is turned off, the keyword written in the backup RAM 11a2 can be retained.

The other ECUs 8 to 10 are different ECUs from the ECU 5 and communicate with each other via the CAN 7 . The other ECUs 8 to 10 are, for example, an engine ECU that controls the opening of the engine throttle and the stop control of the engine, and based on the images taken by the stereo camera, the relative speed between the target such as the preceding vehicle and the vehicle. , Camera ECU that calculates data such as target distance from the preceding vehicle, target acceleration/deceleration when following the preceding vehicle, ECU that controls brakes, engine fuel injection amount, intake air amount, ignition timing It is composed of an ECU that performs various controls related to the vehicle, such as an EFI-ECU that controls such as.

Further, information such as vehicle speed information, information relating to shift such as shift position, information relating to various sensors such as temperature sensor, and information such as time information is input to ECU 5 directly or via CAN 7 .

<Startup processing flow>
Next, an example of start-up processing of the ECU 5 will be described with reference to FIG. FIG. 2 is a flowchart showing an example of startup processing according to this embodiment.

Immediately after the ECU 5 is powered on or immediately after it is reset, for example, a program for start-up processing (so-called reset vector) stored in the ROM 11a3 provided in the memory 11a is read, and the processing is executed by the microcomputer 11. is executed by the CPU 11b.

First, in step S1, the CPU 11b determines whether or not the current startup is a cold start. For example, after the power supply from the battery 3 to the ECU 5 is completely cut off, the start-up of the microcomputer 11 when the ignition switch 4 is turned ON for the first time and the power supply from the battery 3 is turned on again is a cold start. becomes. On the other hand, the restarting of the microcomputer 11 based on the reset signal sent from the watchdog timer circuit 12 is a warm start in which power is supplied from the battery 3 to the microcomputer 11 .

In this embodiment, in the case of a cold start, the contents stored in the main RAM 11a1 and the backup RAM 11a2 are both undefined. On the other hand, in the case of a warm start, the contents stored in the main RAM 11a1 are undefined, but the contents stored in the backup RAM 11a2 before the restart are retained.

Therefore, if the current startup is a cold start (YES in step S1), the CPU 11b initializes (clears) both the main RAM 11a1 and the backup RAM 11a2, and proceeds to step S3.

On the other hand, if the current startup is a warm start (NO in step S1), the CPU 11b initializes (clears) the RAM (main RAM 11a1) other than the backup RAM 11a2 that holds the memory contents before the restart (step S7), and proceed to step S3.

In step S3, the CPU 11b checks whether or not the reading and writing of the keyword storage area set at the predetermined address of the backup RAM 11a2 can be performed normally.

Next, the CPU 11b determines whether or not the value in the keyword storage area of the backup RAM 11a2 is a defined value (keyword) (step S4). Here, if it is determined that the value in the keyword storage area of the backup RAM 11a2 is not the defined value (NO in step S4), the CPU 11b writes the defined value in the keyword storage area of the backup RAM 11a2, and proceeds to step S6.

On the other hand, if it is determined that the value in the keyword storage area of the backup RAM 11a2 is the defined value (YES in step S4), the CPU 11b clears the value in the keyword storage area of the backup RAM 11a2 (step S8), (End the startup process and start the normal vehicle control program).

In step S6, the CPU 11b suspends transmission of the watchdog reset signal to the watchdog timer circuit 12. FIG. Therefore, if the watchdog timer circuit 12 is functioning normally, the interrupted transmission of the watchdog reset signal in step S6 causes the count value of the timer counter 12a to exceed the set time (overflow), and the reset signal output circuit 12b A reset signal is sent to the microcomputer 11 . Upon receiving the reset signal, the microcomputer 11 performs start-up processing (restart). The restart at this time is a warm start.

Even if the CPU 11b interrupts the transmission of the watchdog reset signal, the reset signal is not transmitted to the microcomputer 11 if the watchdog timer circuit 12 does not function normally. In this case, even if the process of step S6 is completed, the reset vector is not returned, and the control program cannot be entered. In this case, the ECU 5 becomes inoperable and cannot communicate with the other ECUs 8 to 10, resulting in an error in the vehicle control system.

<Specific example of startup processing>
Based on the start-up process shown in FIG. 2, a more specific flow when the microcomputer 11 is started will be described.

(First startup processing: cold start)
After the power supply from the battery 3 to the microcomputer 11 is cut off, when the battery 3 is reconnected and the ignition switch 4 is turned on, start-up processing is performed. Since the startup at this time is a cold start, in the flowchart of FIG. 2, step S1 is passed with YES. Then, in step 2, the main RAM 11a1 and the backup RAM 11a2 are initialized (cleared).

Subsequently, the keyword storage area is checked in step S3, and if there is no problem, it is determined whether or not the value in the keyword storage area is the defined value (keyword) (step S4). In the case of a cold start, the backup RAM 11a2 is cleared in step S2, so step S4 in FIG. ), the transmission of the watchdog reset signal to the watchdog timer circuit 12 is interrupted (step S6).

When the watchdog timer circuit 12 is functioning normally, the value of the timer counter 12a overflows and a reset signal is sent to the microcomputer 11 from the reset signal output circuit 12b after the set time has passed since the transmission of the watchdog reset signal is interrupted. sent. Therefore, when the watchdog timer circuit 12 is functioning normally, restart (reset) is performed based on the reset signal of the watchdog timer circuit 12 at the time of cold start (returns to the reset vector: the second startup processing). The startup at this time is a warm start.

(Second startup processing: warm start)
In the restart based on the reset signal (second start-up process), step S1 is passed with NO, and the RAM (main RAM 11a1) excluding the backup RAM 11a2 is cleared in the subsequent step S7.

Note that the definition value (keyword) is written in the keyword storage area of the backup RAM 11a2 in step S5 at the time of cold start (first start-up processing), and in the case of warm start, the storage contents of the backup RAM 11a2 are maintained. Therefore, the definition value (keyword) is stored in the keyword storage area at the stage of step S7, and after the keyword storage area of the backup RAM 11a2 is checked in step S3, step S4 (for the second startup process) Step S4) is passed with YES. After that, the value of the keyword storage area is cleared (step S8), and then the control program for the vehicle is entered.

Even if the transmission of the watchdog reset signal is interrupted in step S6 of the first startup process, if the watchdog timer circuit 12 does not function normally, the reset signal is not transmitted to the microcomputer 11. The second startup process is not executed. As a result, the control program for the vehicle is not entered.

That is, in the case of a cold start, it is confirmed whether the watchdog timer circuit 12 is functioning normally before transitioning to the control program, and only when it functions normally, transitions to the control program. It is

(Third startup processing: warm start)
After the second start-up process, the control program for the vehicle is entered, and if a restart (warm start) occurs, the third start-up process is performed. If the third start-up process is a warm start, step S1 is passed first with NO.

After clearing the RAM (main RAM 11a1) excluding the backup RAM 11a2 (step S7) and checking the keyword storage area of the backup RAM 11a2 (step S3), the value of the keyword storage area of the backup RAM 11a2 becomes the defined value (keyword). It is determined whether or not (step S4).

At this time, since the value of the keyword storage area of the backup RAM 11a2 has been cleared in step S8 of the second start-up process, step S4 of the third start-up process is passed with NO. Thereafter, steps S5 and S6 are passed, and if the watchdog timer circuit 12 is functioning normally, the process proceeds to the fourth start-up process (warm start).

Since the start-up in this case is a warm start, in the fourth start-up process, step S1 is passed with NO. Thereafter, when the RAM (main RAM 11a1) excluding the backup RAM 11a2 is cleared (step S7) and the keyword storage area of the backup RAM 11a2 is checked (step S3), the value of the keyword storage area of the backup RAM 11a2 becomes the defined value (keyword). It is determined whether or not (step S4). Since the fourth startup process is a warm start, the definition value (keyword) in the keyword storage area written in step S5 of the third startup process remains unchanged at step S7 of the fourth startup process. held.

Therefore, step S4 of the fourth start-up process is passed with YES, and after clearing the value of the keyword saving area of the backup RAM 11a2 (step S8), the process proceeds to the control program.

According to the start-up process of FIG. 2, after it is confirmed whether or not the watchdog timer circuit 12 is functioning normally after a cold start, the process shifts to the control program. Also, it is configured to shift to the control program after confirming whether or not the watchdog timer circuit 12 is functioning normally again.

Since the value in the keyword storage area of the backup RAM 11a2 is cleared in step S8 of the start-up process, the watchdog timer circuit 12 is not started even after the fifth restart (warm start) before proceeding to the control program. A check is made to see if it is functioning properly.

Therefore, according to the above-described embodiment, in the case of a cold start, the definition value (keyword) is written in the keyword storage area of the backup RAM 11a2 before shifting to the control program in the startup process (first startup process). Above, the transmission of the watchdog reset signal is interrupted. Therefore, when the watchdog timer circuit 12 is functioning normally, the microcomputer 11 is reset after the value of the timer counter 12a overflows, resulting in a warm start. In the case of a warm start (second start-up process), the defined values (keywords) written in the backup RAM 11a2 during the first start-up process (cold start) are held. Therefore, in step S4 of the second start-up process, if the definition value (keyword) is stored in the keyword storage area of the backup RAM 11a2, the CPU 11b is reset based on the interruption of transmission of the watchdog reset signal. Therefore, it can be determined that the watchdog timer circuit 12 is functioning normally.

Therefore, if the value in the keyword storage area of the backup RAM 11a2 is the defined value (keyword) in step S4 of the second startup process, it is determined that the watchdog timer circuit 12 is functioning normally. Move to the control program for the vehicle. As described above, when the microcomputer 11 is activated, the CPU 11b determines whether or not the watchdog timer circuit 12 is functioning normally before proceeding to the control program, so the reliability of the control system can be improved. .

Further, in step S8 of the start-up process in FIG. 2, since the value in the keyword storage area of the backup RAM 11a2 is cleared, even if the microcomputer 11 is restarted (warm start) after the transition from the cold start to the control program, , it is possible to check whether or not the watchdog timer circuit 12 is functioning normally. You can check whether

The present invention is not limited to the above-described embodiments, and various modifications are possible without departing from the gist of the present invention.

For example, in the above-described embodiment, it is possible to confirm whether the watchdog timer circuit 12 is functioning normally before transitioning to the control program not only in the case of a cold start but also in the case of a warm start. The watchdog timer circuit 12 is checked in case of cold start, but it may not be checked in case of warm start. In this case, the process of clearing the values in the keyword storage area of the backup RAM 11a2 in step S8 of FIG. 2 may be omitted.

Moreover, the above-described embodiments can be applied not only to gasoline vehicles, but also to electric vehicles, hybrid vehicles, and self-driving vehicles.

1: Vehicle 11b: CPU (writing means, transmission control means, reset means, judgment means)
12: Watchdog timer circuit (abnormality monitoring device)

Claims (3)

A vehicle control device including a microcomputer and an abnormality monitoring device that monitors the operation of the microcomputer and stops or resets the microcomputer when the operation of the microcomputer is abnormal,
a memory that retains stored data while electricity is being supplied from the battery of the vehicle;
writing means for writing predetermined identification information as the data in the memory at least in the case of a cold start;
Transmission control means for controlling transmission of an abnormality detection signal to the abnormality monitoring device;
reset means for resetting and warm-starting the microcomputer when the abnormality monitoring device does not receive the abnormality detection signal for a predetermined period of time;
determining means for determining whether or not the predetermined identification information written in the memory by the writing means is stored in the memory in the case of the warm start;
with
The transmission control means suspends transmission of the abnormality detection signal until at least the predetermined time elapses after the writing means writes the predetermined identification information based on the cold start,
The microcomputer determines that the predetermined identification information is stored in the memory by the determination means during the warm start after the transmission control means interrupts the transmission of the abnormality detection signal. A control device for a vehicle, characterized in that it judges that the abnormality monitoring device is functioning normally if After the determination means determines that the predetermined identification information is stored in the memory, the predetermined identification information is cleared,
The writing means determines that the predetermined identification information is not stored in the memory by the determining means when the restart of the microcomputer after the predetermined information is cleared is a warm start. In this case, the predetermined identification information is written in the memory, and based on the writing, the transmission of the abnormality detection signal by the transmission control means is interrupted until at least the predetermined time is exceeded. Item 1. The vehicle control device according to item 1. 3. The vehicle control device according to claim 1, wherein said microcomputer starts executing a program relating to vehicle control when it determines that said abnormality monitoring device is functioning normally.

Images