JP4256231B2 - Electronic control device, ASIC and protection system - Google Patents

Description

  The present invention relates to an electronic control device, an ASIC, and a protection system used in a system requiring high reliability.

  Conventionally, a moving body such as an automobile has been provided with an airbag system for protecting an occupant in the event of an accident. In the airbag system, it is necessary that the airbag operates reliably in the event of an accident, and the airbag does not operate except in the event of an accident. This is because if the airbag is activated without the need for occupant protection, the operation and visibility of the driver and the like are hindered.

  In the airbag system, an acceleration sensor or the like is used to determine whether or not an accident has occurred, and a dedicated electronic control unit (ECU) is used for controlling the deployment of the airbag because an ignition drive is also required. Since it is necessary to comprehensively determine the deployment of the airbag based on detection outputs from acceleration sensors provided at a plurality of locations in the moving body, an electronic control unit that performs overall control is also provided along with an electronic control unit for driving. It is done. That is, an electronic control unit that performs overall control is in the higher order, and a drive electronic control unit is in the lower order, and a system that performs complex control is configured.

FIG. 35 shows a form of the system 1 that generalizes an airbag system and the like. The system 1 includes an ASIC 2 and a microcomputer 3. ASIC2 is a semiconductor integrated circuit for specific applications (
Application Specific Integrated Circuit), which is provided with a function 4 necessary for system control in order to achieve the purpose of the system 1, and performs interface and driving for hardware specific to the system 1. The microcomputer 3 performs overall control of the system 1 via the ASIC 2. As the microcomputer 3, a microcomputer which is a general-purpose semiconductor integrated circuit with a wealth of software development tools is used.

  Semiconductor integrated circuits, particularly ASICs, are provided with functions such as self-checking, self-repairing, or failure detection to improve reliability (see, for example, Patent Documents 1 to 3). In a computer system including a unit, a diagnostic operation is performed in order to improve reliability, and a pseudo failure may be generated in order to confirm an operation when a failure occurs (see, for example, Patent Document 4).

  FIG. 36 shows an outline of the operation timing at which the ASIC 2 performs diagnosis in the system 1 of FIG. The ASIC 2 is provided with a diagnosis function for self-diagnosis. This is because the system 1 always monitors whether or not a failure has occurred in the ASIC 2 even after the system 1 actually enters the market. In the diagnosis function, at time t1, a request for every fixed time from the timer 5 built in the microcomputer 3 or a request from the external factor 6 is used as a trigger, and (a) a control signal indicating a diagnosis request is given to the ASIC 2. In response to the control signal indicating the diagnosis request, the ASIC 2 executes (b) diagnosis from time t2, and returns a status notification including the status output (c) indicating the diagnosis result to the microcomputer 3 at time t3. The microcomputer 3 receives the status notification, takes in the status output of the ASIC 2, determines whether or not a failure has occurred in the ASIC 2, and determines at time t4 (e) performs post-determination processing according to the determination.

  FIG. 37 shows a configuration in the case where the ASIC itself performs a diagnosis without processing from the microcomputer 3 as the ASIC 2. The ASIC 2 includes a test circuit 7 and a result output circuit 8. FIG. 38 shows an outline of the operation timing of FIG. At time t11, (a) a diagnosis request is made using a built-in timer or an external factor as a trigger. At time t12, the test circuit 7 performs (b) diagnosis. At time t13, the test circuit 7 determines (d) the diagnosis result based on the diagnosis. At time t14, the determination result is output.

JP-A-11-168179 JP-A-8-255500 JP-A-9-292447 JP-A-5-28064

  In the system 1 as shown in FIG. 35, the microcomputer 3 always confirms by the diagnosis that no failure has occurred in the ASIC 2. The microcomputer 3 should be the brain of the system 1, and the control for the ASIC 2 diagnosis can also be realized by software. However, as the contents of the processing performed by the microcomputer 3 for the system 1 become more sophisticated and complicated, it becomes impossible to ignore the processing load on the microcomputer 3 by performing the diagnosis processing on the ASIC 2. .

  As shown in FIG. 37, if the ASIC 2 has a self-diagnosis function and the diagnosis is performed without processing from the microcomputer 3, the processing load on the microcomputer 3 can be reduced. However, if a failure or the like occurs in the test circuit 7, the reliability of the diagnosis result is impaired. A signal indicating a failure is not always generated from the test circuit 7 in which a failure has occurred, and even if a failure occurs in the function 4 necessary for system control, it may not be indicated in the diagnosis result.

  An object of the present invention is to reliably derive a diagnosis result including the occurrence of a failure if a failure occurs in a portion where self-diagnosis occurs in an electronic control device such as an ASIC having a self-diagnosis function. It is to provide an electronic control device, ASIC and protection system that can.

The present invention is an electronic control device that performs a control operation of a predetermined system under the control of a host control device,
A plurality of test means for performing a self-diagnosis test for the control operation;
The plurality of test means is an electronic control device characterized in that, together with the self-diagnosis test, the test means also perform mutual monitoring, and output the self-diagnosis result and the output of the mutual monitoring result to the higher-level control device is there.

  According to the present invention, the electronic control device that performs the control operation of the predetermined system under the control of the host control device includes a plurality of test means for performing a self-diagnosis test for the control operation. The plurality of test means also perform mutual monitoring between the test means together with the self-diagnosis test, and derive the output of the self-diagnosis result and the mutual monitoring result to a higher-level control device. Since the test means performs a self-diagnosis test, the burden on the host control device can be reduced. Since a plurality of test means are provided, and the result of mutual monitoring between the test means is also derived to the host control device, if any of the test means has a failure, it is determined from the result of the mutual monitoring. be able to. In the host control device, it is possible to reliably know that there is no abnormality in the operation of the electronic control device when there is no failure in the test means and there is no abnormality in the result of the self-diagnosis test.

  In the present invention, the test means performs the self-diagnosis test and the execution of the mutual monitoring and the result output according to predetermined conditions.

  In the present invention, the test means may execute the self-diagnosis test and the mutual monitoring when a predetermined result output request is input from the host control device as the predetermined condition. .

Further, in the present invention, the predetermined result output request includes designation of a function part that requests the result of the self-diagnosis test,
The test means derives only a required function portion from the result of the self-diagnosis test.

  In the invention, it is preferable that the test means performs a self-diagnosis test only for a function portion for which a result output is designated by the result output request.

  In the invention, it is preferable that the test means derives the result output of the self-diagnosis test including information indicating a part of a function that is determined to be faulty.

In the present invention, the control operation is executed by a semiconductor integrated circuit,
The functional portion is divided by a chip layout area of the semiconductor integrated circuit.

  In the present invention, the test means executes the self-diagnosis test and the mutual monitoring when a signal inputted in accordance with the control operation of the system satisfies the predetermined condition.

  In the invention, the test means executes the self-diagnosis test and the mutual monitoring when a preset time condition is satisfied.

  In the present invention, the plurality of test means each perform a self-diagnosis test for the control operation of the system.

  The present invention further includes AND means for comparing result outputs from the plurality of test means and deriving the result output to the higher-level control device only when a result output indicating a failure is included. To do.

In the present invention, the test means includes a plurality of three or more,
Comparing the output of the mutual monitoring results from the plurality of test means, and according to the majority decision on the presence / absence of the abnormality of the mutual monitoring results, the superordinate control device performs mutual monitoring only when there are a large number of result outputs indicating the presence / absence of the abnormality. And a majority voting means for deriving the result output.

  In the present invention, the test means may deliberately derive a result output indicating a failure when the host control device performs a predetermined operation different from the normal operation, and the control device responds to the result output. It is characterized by confirming.

  Furthermore, the present invention is an ASIC characterized in that the electronic control device described above is integrated on a semiconductor chip.

Furthermore, the present invention is a protection system that is mounted on a mobile body and protects a passenger of the mobile body,
The above-mentioned ASIC,
A sensor that monitors a predetermined operating state of the moving body and inputs the same to the ASIC;
And a protective device that is driven by the ASIC and protects the occupant when it is detected by the sensor that the operating state of the moving body is a predetermined condition.

In the present invention, the sensor detects an acceleration of impact,
The protective device is an airbag.

  According to the present invention, the electronic control device includes a plurality of test means for performing a self-diagnosis test on the control operation, and the processing load on the host control device can be reduced. A plurality of test means perform self-diagnosis test and mutual monitoring between the test means, and the output of the self-diagnosis result and the mutual monitoring result is derived to a higher-level control device, so a failure has occurred in the test means. If there is something, it can be judged from the result of mutual monitoring. In the host control device, when there is no failure in the test means, and there is no abnormality in the result of the self-diagnosis test, it is possible to reliably know that there is no abnormality in the operation of the electronic control device. If a failure occurs in the part to be diagnosed, the diagnosis result can be surely derived including the occurrence of the failure.

  Further, according to the present invention, the execution of the self-diagnosis test and the mutual monitoring by the test means and the result output are performed according to predetermined conditions, respectively. As long as there is no result, it is possible to perform an operation that improves reliability and reduces the burden on the host control device, such as not outputting a result.

  Further, according to the present invention, it is possible to execute a self-diagnosis test and mutual monitoring in response to a request from the host control device, and output the result to the host control device.

  Further, according to the present invention, only the part of the function requested from the host control device is derived as the result output of the self-diagnosis test, so that the amount of information transferred to the host control device as the result output is reduced, and the host control The burden on the apparatus can be reduced.

  Further, according to the present invention, the test means performs the self-diagnosis test only for the part of the function for which the result output is designated by the result output request from the host controller, so that the time required for the self-diagnosis test can be reduced. it can.

  Further, according to the present invention, the test means derives including the information indicating the part of the function judged to be faulty in the output as a result of the self-diagnosis test. You can know quickly.

  Further, according to the present invention, the control operation of the system is executed by the semiconductor integrated circuit, and the part that performs the function to be diagnosed by the self-diagnosis test is divided by the chip layout area of the semiconductor integrated circuit. Therefore, the object can be easily understood when the ASIC package is opened by analyzing the cause of failure.

  Further, according to the present invention, the self-diagnosis test and the mutual monitoring are executed when the time condition associated with the control operation of the system and the signal input based on the external environment satisfy the predetermined condition. It can be executed without receiving control from the control device, and the processing load on the control device can be reduced.

  Further, according to the present invention, since the self-diagnosis test and the mutual monitoring are executed when a preset time condition such as a timer is satisfied, the steel whose reliability is regularly checked can be obtained.

  Further, according to the present invention, the self-diagnosis test for the control operation of the system is performed for each of the plurality of test means, so that a reliable self-diagnosis test can be performed. If there is a failure in a plurality of test means, it can be easily determined based on the mutual monitoring result.

  Further, according to the present invention, the AND means compares the result outputs from the plurality of test means and derives the result output to the host control device only when the result output indicating the failure is included, so that reliable mutual monitoring is possible. Only the result can be derived.

  In addition, according to the present invention, the results of mutual monitoring from three or more test circuits are compared, and only when there are a large number of result outputs indicating the presence / absence of abnormality according to the majority decision regarding the presence / absence of abnormality of the mutual monitoring results, Therefore, even if a failure occurs in the test circuit, the result of majority decision is not affected and a highly reliable result output can be obtained.

  Further, according to the present invention, when the host control device performs a predetermined operation different from the normal operation, the result output indicating the failure is deliberately derived, and it is confirmed that the control device responds to the result output. Diagnosis can be performed including the response operation of the host control device.

  Furthermore, according to the present invention, it is possible to obtain an ASIC that performs a self-diagnosis with high reliability by reducing the processing load of the host control device.

  Furthermore, according to the present invention, the operation state of the moving body is pre-determined by the sensor by improving the reliability of the operation of the ASIC used in the protection system mounted on the moving body and protecting the passenger of the moving body. When this is detected, the protective device can be reliably driven by the ASIC to protect the occupant.

  In addition, according to the present invention, the control ASIC is always diagnosed and protected so as to operate reliably only when the occupant needs to be protected by an air bag, such as when a mobile object collides. The state where operation is possible can be maintained.

  FIG. 1 shows a schematic configuration of an airbag system 10 according to a first embodiment of the present invention. The airbag system 10 is mounted on a vehicle of an automobile and energizes the squib 11 to inflate the airbag in order to protect an occupant during a collision or the like. An ASIC 12 is provided to electrically drive the squib 11 and operates according to control from the microcomputer 13 as a host control device. The ASIC 12 includes a function 14 necessary for system control as the airbag system 10. The ASIC 12 and the microcomputer 13 are installed at remote locations and connected so that control signals can be transmitted through the communication line 15. The ASIC 12 and the microcomputer 13 are given inputs corresponding to the acceleration of impact detected by the G sensors 16 and 17 installed in the vicinity. The G sensor 16 is a mechanical sensor, and the G sensor 17 is a semiconductor electrical sensor. The ASIC 12 detects the acceleration exceeding the reference set by the G sensor 17 by the microcomputer 13 and derives a control signal for instructing airbag deployment, and the G sensor 16 also detects the acceleration exceeding the preset reference. The squib 11 is operated to ignite when it is in operation.

  The ASIC 12 is provided with a plurality of, for example, two test circuits 21 and 22, and one test circuit 21 performs a self-diagnosis test on the function 14 necessary for system control, and performs mutual monitoring between the test circuits 21 and 22. The result of the self-diagnosis test by the test circuits 21 and 22 and the result of the mutual monitoring are output from the result output circuits 23 and 24 to the microcomputer 13 via the communication line 15, respectively. In such an ASIC 12, the test circuit 7 as shown in FIG. 37 can diagnose a failure in the test circuits 21 and 22 as compared with the single ASIC 2, and the reliability can be improved. Thus, the idea of improving the reliability can be suitably used not only for the airbag system 10 but also for a protection system that requires safety and certainty.

  FIG. 2 shows an internal configuration example of the ASIC 12 of FIG. In order to enable the self-diagnosis test, the selectors 25 and 26 are provided in the function 14 and the test circuit 21 necessary for system control, respectively. In order to perform mutual monitoring between the test circuits 21 and 22, the test circuit 22 is also provided with a selector 27. The selector 25 switches the input of the function 14 necessary for system control to select an external input signal during normal operation and a signal from the test circuit 21 during testing. The selector 26 switches so that the output signal of the function 14 necessary for system control at the time of testing and the output signal from the test circuit 22 at the time of mutual monitoring are input to the test circuit 21. The selector 27 switches between the test time and the mutual monitoring according to the output from the test circuit 21. The mutual monitoring is performed continuously during the test, and the test is periodically executed with the timer 28 as a trigger. The result output of the diagnosis performed by the test circuits 21 and 22 is derived as serial data from the result output circuits 23 and 24, respectively.

  FIG. 3 shows the timing of the diagnosis operation in the airbag system 10 of FIG. At time t21, (a) a diagnosis request is generated by a trigger by the timer 28, and (b) diagnosis is performed from time t22. (A) The diagnosis request may be generated by an external factor. (B) In the diagnosis, a self-diagnosis test for the function 14 necessary for system control and mutual monitoring between the test circuits 21 and 22 are executed. The order of execution is arbitrary. The determination (d) based on the diagnosis execution result is performed from time t23, and the result is output from time t24. The determination and the result output are executed in the ASIC 12. From time t25, the microcomputer 13 performs (e) post-determination processing.

  FIG. 4 shows a schematic configuration of a system 30 in which the second embodiment of the present invention is generalized. Such a generalized system can be used in the same manner as the airbag system 10 of FIG. 1, and is applied to a passenger safety protection system such as a seat belt system in a car and a system related to traveling such as a brake and an engine. can do.

  In this embodiment, parts corresponding to those in the embodiment of FIG. 1 are denoted by the same reference numerals, and redundant description is omitted. In the system 30, as the ASIC 32, information storage circuits 33 and 34 that store the output of the results of the diagnosis for the plurality of test circuits 21 and 22 are provided. The information storage circuit 33 notifies the stored diagnosis result when a result output request is sent from the microcomputer 13. In the system 30, as compared with the airbag system 10 of FIG. 1, when the microcomputer 13 is convenient for itself, failure information or the like based on the self-diagnosis test result can be extracted.

  FIG. 5 shows an internal configuration example of the ASIC 32 of FIG. The information storage circuits 33 and 34 are provided with latches 35 and 36 for storing information. When the result output request from the microcomputer 13 is detected, the result output stored in the latches 35 and 36 at the time of detection is used as serial data. A request detection circuit 37 for outputting is also provided. It should be noted that the number of communication lines 15 can be increased to derive the result output as parallel data. In the embodiment described below, the result output data can be derived as parallel data even if it is described as serial data.

  FIG. 6 shows the timing of the diagnostic operation in the system 30 of FIG. At time t31, (a) a diagnosis request is made by the timer 28 or an external factor, and (b) diagnosis is performed from time t32. (D) determination is performed from time t33, and the determination result is latched at time t34. Thereafter, a result request is made from the microcomputer 13 at an arbitrary time t35, the result is output by the ASIC 32 at the time t36, and the (e) post-determination process in the microcomputer 13 is performed from the time t37.

  FIG. 7 shows a schematic configuration of a system 40 in which the third embodiment of the present invention is generalized. In the present embodiment, portions corresponding to the embodiment of FIG. 1 or FIG. 4 are denoted by the same reference numerals, and redundant description is omitted. In the ASIC 42 of the system 40, a plurality of functions 44 necessary for system control are formed, for example, divided into 12 circuit blocks A, B, C, D, E, F, G, H, I, J, K, and L. Yes. The circuit block includes a portion that executes functions such as arithmetic processing, timer, and interrupt processing. The test circuit 21 that performs a self-diagnosis test of the function 44 necessary for system control makes a determination for each circuit block, and derives the result output from the result output circuit 23, for example, as serial data. In the serial data, the bit position from the head is associated with the position in the list of circuit blocks A, B, C, D, E, F, G, H, I, J, K, and L. The microcomputer 13 can identify the failure function based on the position of the bit indicating abnormality in the serial data of the result output.

  FIG. 8 shows the timing of the diagnostic operation in the system 40 of FIG. When there is a trigger by a timer or the like at time t41, diagnosis is performed. Similar to FIG. 3 and the like, it is possible to spend a certain time for the diagnosis request. Following execution of the diagnosis, (d) determination is performed at time t42, and the result is output as serial data from time t43. When 12 bits are output as serial data so that the circuit blocks A, B, C, D, E, F, G, H, I, J, K, and L are sequentially represented one bit at a time, the circuit block D fails. In the case of, a failure can be indicated by the fourth bit.

  FIG. 9 shows a schematic configuration of a system 50 obtained by generalizing the fourth embodiment of the present invention. In the present embodiment, parts corresponding to those in the embodiment of FIG. 1, FIG. 4, or FIG. In the ASIC 52 of the system 50, a plurality of functions 44 necessary for system control are formed, for example, divided into 12 circuit blocks A, B, C, D, E, F, G, H, I, J, K, and L. Yes. The circuit block includes a portion that executes functions such as arithmetic processing, timer, and interrupt processing. The test circuit 21 that performs a self-diagnosis test of the function 44 necessary for system control makes a determination for each circuit block, and stores the result output in the information storage circuit 33. The test circuit 22 stores the mutual monitoring result output in the information storage circuit 34. The result output stored in the information storage circuits 33 and 34 is derived as serial data when a result output is requested from the microcomputer 13. In the serial data, the bit position from the head is associated with the position in the list of circuit blocks A, B, C, D, E, F, G, H, I, J, K, and L. The microcomputer 13 can identify the failure function based on the position of the bit indicating abnormality in the serial data of the result output.

  FIG. 10 shows a configuration of an interface portion between the ASIC 52 and the microcomputer 13 shown in FIG. This configuration is equivalent to the configuration of FIG. FIG. 11 shows the timing of the diagnostic operation in the system 50 of FIG. If there is a trigger by a timer or the like at time t51, (a) a diagnosis request is made, and (b) diagnosis is performed from time t52. (D) determination is performed from time t53, and the latch operation by the information storage circuits 33 and 34 is performed at time t54. Thereafter, a result request is made from the microcomputer 13 at an arbitrary time t55, the result is output by the ASIC 52 at the time t56, and (e) post-determination processing in the microcomputer 13 is performed from the time t57. Similarly to FIG. 8, when the circuit block D is faulty, the fault can be indicated by the fourth bit.

  FIG. 12 shows a schematic configuration of a system 60 in which the fifth embodiment of the present invention is generalized. In this embodiment, parts corresponding to those of the embodiment of FIG. 1, FIG. 4, FIG. 7 or FIG. In the ASIC 62 of the system 60, a plurality of functions 44 necessary for system control are formed, for example, divided into 12 circuit blocks A, B, C, D, E, F, G, H, I, J, K, and L. Yes. The circuit block includes a portion that executes functions such as arithmetic processing, timer, and interrupt processing. The test circuit 21 that performs a self-diagnosis test of the function 44 necessary for system control makes a determination for each circuit block and stores the result output in the information storage circuit 63. The test circuit 22 stores the mutual monitoring result output in the information storage circuit 34. The result output stored in the information storage circuits 63 and 34 is derived as serial data when a result output is requested from the microcomputer 13. In the serial data, the bit position from the head is associated with the position in the list of circuit blocks A, B, C, D, E, F, G, H, I, J, K, and L. The microcomputer 13 can identify the failure function based on the position of the bit indicating abnormality in the serial data of the result output.

  The information storage circuit 63 derives the result output for only the circuit block having the function specified by the result output request from the microcomputer 13. For example, when the function 44 necessary for system control is divided into 12 circuit blocks A, B, C, D, E, F, G, H, I, J, K, and L, six circuit blocks A and B , C, D, E, and F are designated, the information storage circuit 63 derives the result output stored only for the designated circuit blocks A, B, C, D, E, and F as serial data. To do.

  FIG. 13 shows a configuration of an interface portion between the ASIC 62 and the microcomputer 13 shown in FIG. The microcomputer 13 requests the output of a diagnosis result of a necessary circuit block, and when the request detection circuit 67 detects, the information storage circuit 63 is supplied with a decode output by the request decode circuit 68. The decode output includes designation of a circuit block for which the microcomputer 13 requests output of a diagnosis result.

  FIG. 14 shows the timing of the diagnosis operation in the system 60 of FIG. 12 in comparison with the operation timing of FIG. That is, FIG. 14 (a) shows the operation timing for deriving the result output for all the circuit blocks, as in FIG. 11, and the diagnosis operation for performing the output of the diagnosis result only in the designated range in FIG. 14 (b). Shows the timing. In FIG. 14B, when there is a trigger by a timer or the like at time t61, (a) a diagnosis request is made, and (b) diagnosis is performed from time t62. From time t63, determination (d) is made, and at time t64, the latch operation by the information storage circuits 63 and 34 is performed. Thereafter, a result request is made from the microcomputer 13 at an arbitrary time t65, a result output by the ASIC 62 is made at time t66, and (e) post-determination processing in the microcomputer 13 is performed from time t67. Similarly to FIG. 8, when the circuit block D is faulty, the fault can be indicated by the fourth bit. Comparing FIG. 14A and FIG. 14B, instead of deriving 12-bit serial data from time t56 in FIG. 14A, FIG. 14B shows 6-bit serial data from time t66. Can be derived. In this way, only necessary data can be output to reduce the data capacity.

  FIG. 15 shows a schematic configuration of a system 70 that is a generalization of the sixth embodiment of the present invention. In this embodiment, parts corresponding to those of the embodiment of FIG. 1, FIG. 4, FIG. 7, FIG. 9 or FIG. In the ASIC 72 of the system 70, a plurality of functions 44 necessary for system control are formed, for example, divided into 12 circuit blocks A, B, C, D, E, F, G, H, I, J, K, and L. Yes. The circuit block includes a portion that executes functions such as arithmetic processing, timer, and interrupt processing. The test circuit 73 that performs a self-diagnosis test of the function 44 necessary for system control makes a determination for each circuit block, and stores the result output in the information storage circuit 63. The test circuit 22 stores the mutual monitoring result output in the information storage circuit 34. The result output stored in the information storage circuits 63 and 34 is derived as serial data when a result output is requested from the microcomputer 13. In the serial data, the bit position from the head is associated with the position in the list of circuit blocks A, B, C, D, E, F, G, H, I, J, K, and L. The microcomputer 13 can identify the failure function based on the position of the bit indicating abnormality in the serial data of the result output.

  The test circuit 73 executes a self-diagnosis test for only the circuit block having the function designated by the microcomputer 13 in the result output request. For example, when the function 44 necessary for system control is divided into 12 circuit blocks A, B, C, D, E, F, G, H, I, J, K, and L, six circuit blocks A and B , C, D, E, and F are designated, the test circuit 73 performs a self-diagnosis test only on the designated circuit blocks A, B, C, D, E, and F, and sends the result to the information storage circuit 63. Accumulate output.

  FIG. 16 shows a configuration of an interface portion between the ASIC 72 and the microcomputer 13 shown in FIG. The microcomputer 13 requests output of a diagnosis result of a necessary circuit block, and when the request detection circuit 77 detects, the decode output by the request decode circuit 78 is given to the test circuit 73 and the information storage circuit 63. The decode output includes designation of a circuit block for which the microcomputer 13 requests output of a diagnosis result.

  FIG. 17 shows the timing of the diagnosis operation in the system 70 of FIG. 15 in comparison with the operation timing of FIG. That is, FIG. 17A shows the operation timing for deriving the result output by executing the self-diagnosis test for all the circuit blocks as in FIG. 11, and specifying the output of the diagnosis result in FIG. 17B. The timing of the diagnosis operation for performing the self-diagnosis test and the result output for only the specified range is shown. In FIG. 17B, when there is a trigger by a timer or the like at time t71, (a) a diagnosis request is made, and (b) diagnosis is performed from time t72. From time t73, (d) determination is performed, and at time t74, the latch operation by the information storage circuits 63 and 34 is performed. In the execution of the diagnosis from time t72, since the self-diagnosis test is performed for up to six circuit blocks A, B, C, D, E, and F, twelve circuit blocks A, B, C, D, E, F, G, and The time can be shortened compared with the self-diagnosis test for all of H, I, J, K, and L.

  Thereafter, a result request is made from the microcomputer 13 at an arbitrary time t75, the result is output by the ASIC 72 at time t76, and the (e) post-determination process in the microcomputer 13 is performed from time t77. Similarly to FIG. 8, when the circuit block D is faulty, the fault can be indicated by the fourth bit. When comparing FIG. 17A and FIG. 17B, in FIG. 17A, circuit blocks A, B, C, D, E, F, G, H, I, J, K from time t52 to twelve are shown. , L, and instead of deriving 12-bit serial data from time t56, self-test is performed for six circuit blocks A, B, C, D, E, and F from time t72 in FIG. It is understood that a 6-bit serial data is derived from time t76 by performing a diagnostic test. In this way, the self-diagnosis test is executed only for the necessary circuit blocks to shorten the time, and as a result, only the output data is output, thereby reducing the data capacity.

  FIG. 18 shows a schematic configuration of a system 80 that is a generalization of the seventh embodiment of the present invention. In this embodiment, parts corresponding to those of the embodiment of FIG. 1, FIG. 4, FIG. 7, FIG. 9, FIG. In the ASIC 82 of the system 80, a self-diagnosis test can be performed with a plurality of, for example, two test circuits 21 and 83 for the function 14 necessary for system control. The two test circuits 21 and 83, similar to the embodiment of FIG. 7, FIG. 9, FIG. 12 or FIG. The result output is derived as serial data or parallel data. Comprehensive diagnosis for the same function can be performed by ANDing the result outputs from the plurality of test circuits 21 and 83 by the AND circuit 84. That is, only when all the test circuits 21 and 83 indicate no abnormality, it can be diagnosed that no failure has occurred in the target circuit block, and the output of the diagnosis result can be derived from the result output circuit 23. .

  FIG. 19 shows an internal configuration example of the ASIC 82 of FIG. In order to enable a self-diagnosis test, selectors 25, 26, and 87 are provided in the function 14 and the test circuits 21 and 83 necessary for system control, respectively. The test circuits 21 and 83 perform mutual monitoring between the function 14 necessary for system control and the test circuits 21 and 83, give a result output to the AND circuit 84, and send the AND operation result from the result output circuit 23 to the serial data. Derived as

  FIG. 20 shows the timing of the diagnosis operation in the system 80 of FIG. At time t81, (a) a diagnosis request is generated by a trigger by the timer 28, and (b) diagnosis is performed from time t82. (B) In the implementation of the diagnosis, a self-diagnosis test by the two test circuits 21 and 83 and a mutual monitoring between the test circuits 21 and 83 are executed for the function 14 necessary for system control. The order of execution is arbitrary. The determination (d) based on the diagnosis execution result is performed from time t83, and from time t84, AND processing by the AND circuit 84 is performed on the result output from all the test circuits 21 and 83, and the result output is performed from time t85. . Thus, the process from the determination to the result output is executed in the ASIC 12. From time t86, the microcomputer 13 performs (e) post-determination processing.

  FIG. 21 shows a schematic configuration of a system 90 in which the eighth embodiment of the present invention is generalized. In this embodiment, parts corresponding to those of the embodiment of FIG. 1, FIG. 4, FIG. 7, FIG. 9, FIG. In the ASIC 92 of the system 90, a self-diagnosis test can be performed with three or more, for example, three test circuits 21, 83, 93 for the function 14 necessary for system control. The three test circuits 21, 83, 93, as in the embodiment of FIG. 7, FIG. 9, FIG. 12, FIG. 15, or FIG. Each test is performed and the result output is derived as serial data or parallel data. Comprehensive diagnosis for the same function can be performed by majority decision of the result output from the plurality of test circuits 21, 83, 93 by the majority decision circuit 94. That is, only when many of the test circuits 21, 83, 93 indicate no abnormality, a result output indicating no abnormality is derived from the result output circuit 95, and no failure has occurred in the target circuit block. Can be diagnosed. The result outputs from the test circuits 83 and 93 are also derived from the result output circuits 24 and 96, respectively.

  FIG. 22 shows an internal configuration example of the ASIC 92 of FIG. In order to enable a self-diagnosis test, selectors 25, 26, 87, and 97 are provided in the function 14 and test circuits 21, 83, and 93 required for system control, respectively. The test circuits 21, 83, and 93 perform mutual monitoring between the function 44 necessary for system control and the test circuits 21, 83, and 93, and input the result output to the majority circuit 94. The result output from the majority circuit 94 is the result. It is derived as serial data via the output circuit 23.

  FIG. 23 shows the timing of the diagnosis operation in the system 90 of FIG. At time t91, (a) a diagnosis request is generated by a trigger by the timer 28, and (b) diagnosis is performed from time t92. (B) In the execution of the diagnosis, a self-diagnosis test by the three test circuits 21, 83, 93 and a mutual monitoring between the test circuits 21, 83, 93 for the function 14 necessary for system control are executed. The order of execution is arbitrary. From time t93, (d) determination is performed based on the diagnosis execution results by the test circuits 21, 83, and 93. From time t94, the majority circuit 94 performs majority processing on the determination results of the test circuits 21, 83, and 93, and outputs a result from time t95. The determination and the result output are executed in the ASIC 92. From time t96, the microcomputer 13 performs (e) post-determination processing.

  By inputting the result output from the test circuits 21, 83, 93 to the majority circuit 94 at the same time, it is possible to detect a failure of the test circuits 21, 83, 93. The determination result which is larger among the determination results of the test circuits 21, 83 and 93 is adopted. A semiconductor integrated circuit such as the ASIC 92 is basically highly reliable, and even if a failure occurs in the plurality of test circuits 21, 83, 93, it is expected that the number is small. Obtainable.

  FIG. 24 shows a schematic configuration of a system 100 that is a generalization of the ninth embodiment of the present invention. In this embodiment, parts corresponding to those of the embodiment of FIG. 1, FIG. 4, FIG. 7, FIG. 9, FIG. To do. In the ASIC 102 of the system 100, a self-diagnosis test can be performed with respect to the function 14 necessary for system control by using one test circuit 103 of a plurality of, for example, two test circuits 103 and 104. Of course, the self-diagnostic test may be performed on all the test circuits. It goes without saying that the self-diagnosis test is performed for each circuit block.

  The two test circuits 103 and 104 are provided with result output circuits 23 and 24, respectively, and detection circuits 105 and 106, respectively. The microcomputer 13 does not give a special signal to the ASIC 102 when the result output from the result output circuits 23 and 24 is normal. When a result output indicating abnormality determination is given from the ASIC 102 to the microcomputer 13, it is assumed that an acknowledgment signal ACK for confirming that the result output is input is returned from the microcomputer 13 to the ASIC 102.

  During actual normal operation, a result output indicating abnormality determination is not given from the ASIC 102 to the microcomputer 13, so that the operation on the microcomputer 13 side at the time of abnormality cannot be confirmed only by the normal diagnostic function. For example, if the communication line 15 connecting the ASIC 102 and the microcomputer 13 is disconnected, the communication line 15 is not noticed until an abnormality occurs, and the system 100 cannot perform a protection operation expected at the time of the abnormality. As a countermeasure, the test circuits 103 and 104 have a function of deliberately deriving a failure determination result to the microcomputer 13 as part of the diagnosis operation.

  FIG. 25 shows an internal configuration example of the ASIC 102 of FIG. The detection circuits 105 and 106 determine whether the microcomputer 13 derives the confirmation response signal ACK based on the failure determination result from the test circuits 103 and 104. When the microcomputer 13 determines that the confirmation response signal ACK is not derived for the failure determination result, the microcomputer 13 is notified of disconnection detection. This is because it is highly possible that the failure determination result does not reach the microcomputer 13 due to the disconnection of the communication line 15 or the detection response signal ACK cannot be detected by the detection circuits 105 and 106 even if it reaches.

  FIG. 26 shows the timing of the diagnosis operation in the system 100 of FIG. At time t101, the failure determination result is intentionally transmitted to the microcomputer 13. At time t102, the microcomputer 13 determines a test signal, and since it is a failure determination result, an acknowledgment signal ACK is derived. At time t103, the detection circuits 105 and 106 of the ASIC 102 detect the presence / absence of the confirmation response ACK from the microcomputer 13, and notify the microcomputer 13 of the detection result at time t104. If an operation including such a failure determination is performed during normal operation of the microcomputer 13, the microcomputer 13 operates as a genuine failure determination. Perform according to the timing of operation.

  FIG. 27 shows a schematic configuration of a system 110 in which the tenth embodiment of the present invention is generalized. In this embodiment, parts corresponding to those of the embodiment of FIG. 1, FIG. 4, FIG. 7, FIG. 9, FIG. Description is omitted. In the ASIC 112 of the system 110, a self-diagnosis test can be performed with respect to the function 14 necessary for the system control by using one of the plurality of test circuits 113, 114. Of course, the self-diagnostic test may be performed on all the test circuits. It goes without saying that the self-diagnosis test is performed for each circuit block.

  The two test circuits 113 and 114 are provided with result output circuits 23 and 24, respectively. The test circuits 113 and 114 execute a diagnosis according to an external request, not a request from the microcomputer 13, and output the result. That is, the ASIC 112 itself performs a diagnosis using an external factor as a trigger. The diagnosis can be performed by using an external factor that cannot be controlled by the ASIC 112 or the microcomputer 13 as a trigger occurrence event.

  FIG. 28 shows an internal configuration example of the ASIC 112 of FIG. The test circuits 113 and 114 are given an instruction from the outside and a diagnosis start signal by a switch (SW). Result outputs from the test circuits 113 and 114 are given to the microcomputer 13 via the result output circuits 23 and 24. Determines whether to derive an acknowledgment signal ACK.

  FIG. 29 shows the timing of the diagnostic operation in the system 110 of FIG. At time t111, (a) a diagnosis request is made by a trigger based on an external factor. Whether the request is for a diagnosis is determined in the ASIC 112. At time t112, (b) diagnosis is performed. From time t113, (d) determination is performed. The result is output from time t114. The operation from the time t111 to the end of the result output is the operation of the ASIC 112, and does not affect the operation of the microcomputer 13. From time t115, (e) post-determination processing by the microcomputer 13 is performed.

  FIG. 30 shows a schematic configuration of a system 120 that is a generalization of the eleventh embodiment of the present invention. In the present embodiment, the same reference numerals are assigned to portions corresponding to the embodiment of FIG. 1, FIG. 4, FIG. 7, FIG. 9, FIG. The duplicated explanation is omitted. In the ASIC 122 of the system 120, a plurality of functions 124 necessary for system control are formed, for example, divided into 12 circuit blocks A, B, C, D, E, F, G, H, I, J, K, and L. Yes. The circuit block includes portions for executing functions such as arithmetic processing, timers, and interrupt processing, and is formed so as to divide the area of the semiconductor chip layout for each function. The test circuit 21 that performs a self-diagnosis test of the function 124 necessary for system control makes a determination for each circuit block, stores the result output in the information storage circuit 33, and as serial data in response to a request from the microcomputer 13 Output. The test circuit 22 accumulates the mutual monitoring result output in the information accumulation circuit 34 and outputs it to the microcomputer 13. In the serial data, the bit position from the head is associated with the position on the chip layout of the circuit blocks A, B, C, D, E, F, G, H, I, J, K, and L. The position can be specified when the package of the ASIC 122 is partially opened to inspect the circuit pattern of the semiconductor chip.

  FIG. 31 shows the timing of the diagnostic operation in the system 120 of FIG. If there is a trigger by a timer or the like at time t121, (a) a diagnosis request is made, and (b) diagnosis is performed from time t122. From time t123, (d) determination is performed, and at time t124, the latch operation by the information storage circuits 33 and 34 is performed. Thereafter, a result request is made from the microcomputer 13 at an arbitrary time t125, the result is output by the ASIC 52 at time t126, and the (e) post-determination process in the microcomputer 13 is performed from time t127. Similarly to FIG. 8, when the circuit block D is faulty, the fault can be indicated by the fourth bit.

  FIG. 32 shows a schematic configuration of a system 130 in which the twelfth embodiment of the present invention is generalized. In this embodiment, portions corresponding to the embodiment of FIG. 1, FIG. 4, FIG. 7, FIG. 9, FIG. And redundant description is omitted. The ASIC 132 of the system 130 determines that an abnormality has occurred as a result of the self-diagnosis test performed on the function 14 necessary for system control by the test circuit 133 or the result of mutual monitoring between the test circuits 133 and 134. The result output circuits 135 and 136 notify the microcomputer 13 only at the time of failure. As described above, the function 14 necessary for system control can be divided into circuit blocks and a self-diagnosis test can be performed.

  FIG. 33 shows an internal configuration example of the ASIC 132 of FIG. FIG. 34 shows the timing of the diagnosis operation in the system 130 of FIG. When the timer 28 triggers at time t131, (a) a diagnosis request is made, and (b) diagnosis is performed from time t132. From time t133, (d) determination is performed, and the determination results are accumulated at time t134. If there is an abnormality, the result output circuit 135, 136 outputs the result as serial data to the microcomputer 13 from time t135. Is called. For the accumulated determination results, a threshold value may be provided to determine whether or not to output the results to the microcomputer 13. Thereafter, the microcomputer 13 performs (e) post-determination processing from time t136.

1 is a block diagram showing a schematic configuration of an airbag system 10 according to a first embodiment of the present invention. It is a block diagram which shows the example of an internal structure of ASIC12 of FIG. It is a timing chart of the diagnosis operation | movement in the airbag system 10 of FIG. It is a block diagram which shows the schematic structure of the system 30 which generalized 2nd Embodiment of this invention. FIG. 5 is a block diagram illustrating an internal configuration example of an ASIC 32 in FIG. 4. 5 is a timing chart of a diagnosing operation in the system 30 of FIG. It is a block diagram which shows the schematic structure of the system 40 which generalized 3rd Embodiment of this invention. FIG. 8 is a timing chart of a diagnosis operation in the system 40 of FIG. 7. FIG. It is a block diagram which shows the schematic structure of the system 50 which generalized 4th Embodiment of this invention. It is a block diagram which shows the structural example of the interface part of ASIC52 and the microcomputer 13 of FIG. 10 is a timing chart of a diag operation in the system 50 of FIG. 9. It is a block diagram which shows the schematic structure of the system 60 which generalized 5th Embodiment of this invention. It is a block diagram which shows the structural example of the interface part of ASIC62 and the microcomputer 13 of FIG. 12 is a timing chart showing the timing of the diagnosis operation in the system 60 of FIG. 12 in comparison with the operation timing in FIG. It is a block diagram which shows the schematic structure of the system 70 which generalized 6th Embodiment of this invention. FIG. 16 is a block diagram illustrating a configuration example of an interface portion between the ASIC 72 and the microcomputer 13 in FIG. 15. FIG. 16 is a timing chart showing the timing of the diagnosis operation in the system of FIG. 15 in comparison with the operation timing in FIG. It is a block diagram which shows the schematic structure of the system 80 which generalized 7th Embodiment of this invention. It is a block diagram which shows the internal structural example of ASIC82 of FIG. FIG. 19 is a timing chart of a diag operation in the system 80 of FIG. 18. FIG.

It is a block diagram which shows the schematic structure of the system 90 which generalized 8th Embodiment of this invention. It is a block diagram which shows the internal structural example of ASIC92 of FIG. FIG. 22 is a timing chart of a diagnosis operation in the system 90 of FIG. 21. It is a block diagram which shows the schematic structure of the system 100 which generalized 9th Embodiment of this invention. It is a block diagram which shows the example of an internal structure of ASIC102 of FIG. FIG. 25 is a timing chart of a diagnosis operation in the system 100 of FIG. 24. FIG. It is a block diagram which shows the schematic structure of the system 110 which generalized 10th Embodiment of this invention. It is a block diagram which shows the example of an internal structure of ASIC112 of FIG. FIG. 28 is a timing chart of a diagnosing operation in the system 110 of FIG. 27. FIG. It is a block diagram which shows the schematic structure of the system 120 which generalized 11th Embodiment of this invention. FIG. 31 is a timing chart of a diag operation in the system 120 of FIG. 30. FIG. It is a block diagram which shows the schematic structure of the system 130 which generalized 12th Embodiment of this invention. It is a block diagram which shows the example of an internal structure of ASIC132 of FIG. 33 is a timing chart of a diag operation in the system 130 of FIG. It is a block diagram which shows the form of the system 1 which generalized the conventional airbag system. It is a timing chart which shows the outline | summary of the timing which ASIC2 performs a diagnosing operation in the system 1 of FIG. It is a block diagram which shows the structure in the case of performing the diagnosis of ASIC itself without the process from the microcomputer 3 by conventional ASIC2. It is a timing chart which shows the outline | summary of the operation | movement timing of FIG.

Explanation of symbols

10 air bag system 11 squib 12, 32, 42, 52, 62, 72, 82, 92, 102, 112, 122, 132 ASIC
13 Microcomputer 14, 44, 124 Functions required for system control 15 Communication line 16, 17 G sensor 21, 22, 73, 83, 93, 103, 104, 113, 114 Test circuit 23, 24, 135, 136 Result output circuit 28 Timer 30, 40, 50, 60, 70, 80, 90, 100, 110, 120, 130 System 33, 34, 63 Information storage circuit 37, 67, 77 Request detection circuit 68, 78 Request decode circuit 84 AND circuit 94 Majority circuit 105, 106 detection circuit

Claims (16)

An electronic control device that performs control operations of a predetermined system under the control of a host control device,
A plurality of test means for performing a self-diagnosis test for the control operation;
The plurality of test means also perform mutual monitoring between the test means together with the self-diagnosis test, and derive the output of the self-diagnosis result and the mutual monitoring result to the host control apparatus.   2. The electronic control device according to claim 1, wherein the test means performs the self-diagnosis test and the mutual monitoring and results output in accordance with predetermined conditions.   3. The test unit according to claim 2, wherein the test unit executes the self-diagnosis test and the mutual monitoring when a predetermined result output request is input from the host control device as the predetermined condition. Electronic control device. The predetermined result output request includes designation of a function part that requests the result of the self-diagnosis test,
4. The electronic control device according to claim 3, wherein the test means derives only a required function portion from the result of the self-diagnosis test.   5. The electronic control apparatus according to claim 4, wherein the test means performs a self-diagnosis test only for a function portion for which a result output is designated by the result output request.   The electronic control according to any one of claims 1 to 3, wherein the test means derives the result output of the self-diagnosis test including information indicating a part of a function that is determined to be malfunctioning. apparatus. The control operation is executed by a semiconductor integrated circuit,
7. The electronic control device according to claim 4, wherein the functional portion is divided by a chip layout area of the semiconductor integrated circuit.   3. The electronic control according to claim 2, wherein the test means executes the self-diagnosis test and the mutual monitoring when a signal inputted in accordance with a control operation of the system satisfies the predetermined condition. apparatus.   3. The electronic control device according to claim 2, wherein the test unit executes the self-diagnosis test and the mutual monitoring when a preset time condition is satisfied.   The electronic control device according to claim 1, wherein the plurality of test units respectively perform a self-diagnosis test for a control operation of the system.   2. An AND means for comparing result outputs from the plurality of test means and deriving the result output to the higher-level control device only when a result output indicating a failure is included. The electronic control device according to any one of 10. The test means includes a plurality of three or more,
Comparing the output of the mutual monitoring results from the plurality of test means, and according to the majority decision on the presence / absence of the abnormality of the mutual monitoring results, the superordinate control device performs mutual monitoring only when there are a large number of result outputs indicating the presence / absence of the abnormality. The electronic control device according to claim 1, further comprising a majority voting means for deriving an output of the result.   The test means deliberately derives a result output indicating a failure when the host control device performs a predetermined operation different from the normal operation, and confirms that the control device responds to the result output. The electronic control device according to any one of claims 1 to 12.   14. An ASIC, wherein the electronic control device according to claim 1 is integrated on a semiconductor chip. A protection system mounted on a moving body and protecting a passenger of the moving body,
ASIC according to claim 14;
A sensor that monitors a predetermined operating state of the moving body and inputs the same to the ASIC;
A protection system comprising: a protective device that is driven by an ASIC and protects an occupant when it is detected by the sensor that the operating state of the moving body is a predetermined condition. The sensor detects the acceleration of impact,
The protection system according to claim 15, wherein the protective device is an airbag.

Images