JP5407757B2 - Electronic device, power management device, and control method - Google Patents

Description

  The present invention relates to an electronic device, a power management device, and a control method for monitoring a runaway state of a processor that controls a predetermined drive unit and controlling an operation state of a CPU.

  In recent years, electronic devices in which a processor such as a CPU (Central Processing Unit) performs control are used in various fields in order to control processing of a large number of devices.

  Particularly in the field of vehicles, a large number of devices such as actuators or sensors corresponding to various functions are arranged in the vehicle, and an ECU (Electronic Control Unit) is arranged and operated as a control device that executes control processing of each device. Vehicle control is shifting from mechanical control to electrical control, and further, specialization of functions realized by the control system, increase in functions that can be realized, and diversification are progressing.

  In the ECU, when a CPU of a microcontroller (hereinafter referred to as a microcomputer) that executes signal processing does not execute a predetermined software program within a predetermined time, it is determined that the CPU is in a runaway state, and this is determined as a CPU or peripheral circuit. So-called watchdog timer function. The watchdog timer monitors a watchdog pulse (hereinafter referred to as a WD pulse) that should be periodically output from the CPU. If the WD pulse is not periodically input, it is determined that an abnormality has occurred in the CPU. When the CPU detects a runaway state of the CPU and notifies the CPU of the runaway state, the CPU is initialized by issuing an interrupt or inputting a reset signal.

  At this time, if the CPU is out of control due to a software bug, the processing is once cleared by reset, and the CPU returns to normal operation by this initialization that allows the processing to be restarted from the beginning. However, when the cause of the CPU runaway is a hardware failure, even if the CPU is initialized, the runaway state may occur again. In such a case, the runaway of the CPU, the operation of the watchdog timer, and the initialization of the CPU were repeated.

  In order to solve such a problem, for example, Patent Document 1 discloses a drive control device that stops a CPU runaway repetitive operation and stops a malfunction of a peripheral circuit including the CPU. In the drive control device of Patent Document 1, the number of reset occurrences and the reset interval are recorded, and if the reset occurs continuously in a short time, it is a failure of the hardware itself and cannot be recovered even if the reset is continued. By determining that the power supply from the power source to the microcomputer including the CPU is cut off, it is possible to reliably identify the runaway state of the CPU and stop the repeated runaway operation.

JP 2000-10826 A

  However, the hardware failure described above includes, for example, a case where the microcomputer temporarily becomes inoperable due to an overcurrent. In this case, although it is a hardware failure instantaneously, it may be possible to recover spontaneously when the discharge is completed within a certain time. However, in the configuration disclosed in Patent Document 1, since the power supply is controlled to be cut off, even if the hardware abnormality is resolved and the microcomputer can be restored naturally, it cannot be recovered by itself, and the user can Otherwise, the power will remain off. In addition, for example, if it is determined that the microcomputer that controls the door lock of the vehicle has failed and the power is cut off, the electric door lock will not move the next time you enter the vehicle, causing inconvenience to the passengers. . Further, if it is determined that the microcomputer responsible for security has failed, the security unit is shut down and remains alert until the next boarding.

  The present invention has been made in view of such circumstances, and in an electronic device including a processor, when the processor is repeatedly reset due to runaway, the power supply to the processor is cut off after a predetermined time has elapsed. An object of the present invention is to provide an electronic device, a power management device, and a control method that can automatically return to normal operation when a hardware abnormality has been resolved with the passage of time by being configured to resume supply.

According to a first aspect of the present invention, there is provided an electronic device comprising: a switch for supplying / cutting off power from a power supply; a processor driven by power supply by the switch; a determination unit for determining a runaway state of the processor; In an electronic device comprising a reset unit that resets the processor when it is determined that it is in a state, the number of times the processor is reset by the reset unit is counted, and when the determination unit determines that it is not a runaway state, has a counting unit for clearing the count value to zero, if the counted value exceeds a predetermined number of times, the switch is to interrupt power supply to the processor, after a lapse of a waiting time set, the power restart the supply, when the power supply is resumed, the counting section increments the count value, the waiting time respond to large / small of the counted value Characterized in that are configured to so that is determined to length / short Te.

In the first invention and the second invention to be described later , when the processor is continuously reset by the reset unit, the processor runaway is caused by a hardware failure and the processor does not return to normal operation. Stop. Then, after a predetermined time has elapsed, the power supply is resumed. Therefore, when the hardware abnormality has been resolved with the passage of time, the normal operation can be automatically and promptly restored.

According to a second aspect of the present invention, there is provided an electronic device comprising: a switch for supplying / cutting off power from a power source; a processor driven by power supply by the switch; a determination unit for determining a runaway state of the processor; In an electronic device comprising a reset unit that resets the processor when it is determined that it is in a state, the number of times the processor is reset by the reset unit is counted, and when the determination unit determines that it is not a runaway state, A counter that clears the count value to 0, and when the count value exceeds a predetermined number of times, the switch shuts off the power supply to the processor, and after the set standby time has elapsed, the power It further has a voltage detection unit that restarts supply and detects whether or not the voltage of the power supply is abnormal, and the voltage detection unit detects that the voltage is abnormal When the switch is characterized in that are not configured to cut off the power supply to the processor.

In the first invention and the twelfth invention, which will be described later , the cumulative number of times of resetting and restarting of power supply is counted, and the time interval for restarting power supply is determined according to the counted value, so that it becomes unnecessary. It is possible to prevent the occurrence of a secondary failure by repeating the reset.

Electronic device according to the third invention, in the first shot Akira, characterized in that have configured that cuts off the power supply to the processor to notify the outside.

  In the third invention, the fact that the power supply to the processor is cut off is generated and stored as, for example, a diagnostic code relating to abnormality information, and the diagnostic device stores the diagnostic code stored in order to confirm the abnormality history later. Is read and used for diagnosis to notify the outside. Thereby, the electronic device in which an abnormality has occurred can be specified in advance. Or you may notify outside by turning on the warning lamp which shows abnormality. As a result, the driver can grasp the abnormality. In particular, if the electronic device is a device related to security, the driver should be informed that the security function is stopped.

Electronic device according to the fourth invention, the first or third rounds Oite bright, the voltage of the power supply further includes a voltage detecting unit for detecting whether abnormal or not, said voltage by said voltage detection unit is abnormal The switch is configured not to cut off the power supply to the processor when it is detected.

In the second and fourth inventions, when the voltage of the power supply is abnormal, the switch does not cut off the power supply to the processor. As a result, when a large current is required, such as during startup, the voltage becomes unstable, and it is considered normal operation that the reset occurs continuously even though there is no abnormality in the hardware. Do not shut off the power supply by.

An electronic device according to a fifth aspect of the present invention includes a processor, a determination unit that determines a runaway state of the processor, and a reset unit that resets the processor when the determination unit determines that the processor is in a runaway state, from a power source In an electronic device connected to a power management device that supplies / shuts down the power of the computer, the number of times the processor is reset by the reset unit is counted, and when the determination unit determines that it is not in a runaway state, the count value is 0 The counter further clears the counter, and when the count value exceeds a predetermined number, the count value is incremented and transmitted to the power management apparatus together with a power shutdown request, and the count value and the power shutdown request are transmitted. from then, after the standby determined time has elapsed in accordance with the counted value, the resetting unit is configured to reset the processor And wherein the Rukoto.

In the fifth invention and the sixth and seventh inventions described later , when the processor is continuously reset, the power to the runaway processor is transmitted by transmitting the number of resets and the power-off request to the power management device. Supply is interrupted by the power management device.

Power according to the sixth aspect management device includes a processor, a determination unit runaway state of the processor, when it is determined that the runaway state by the determination unit, a reset unit for resetting said processor, said processor Is counted by the reset unit, and when the determination unit determines that it is not in a runaway state, a counting unit that clears the count value to 0, and when the count value exceeds a predetermined number, In a power management apparatus that is connected to an electronic device that includes a transmission unit that increments the count value and transmits it to the outside together with a power-off request, and cuts off / restarts power supply from the power source to the electronic device. Receiving unit that receives the request, and when the receiving unit receives the power-off request, the power supply to the corresponding electronic device is cut off and then restarted A control unit that resumes the power supply after a lapse of time, the receiving unit further receives a count value from the electronic device, and the control unit responds to the count value received by the receiving unit. The resumption time is determined .

In the fifth invention, also, if the power supply to the processor that runaway not blocked by the power management device, when the standby time has elapsed, a reset of the processor. Therefore, when the power supply to the processor is not cut off due to the failure of the power management apparatus itself or the occurrence of communication abnormality, the reset is automatically performed.

Power according to a seventh aspect management device includes a processor, a determination unit runaway state of the processor, when it is determined that the runaway state by the determination unit, a reset unit for resetting said processor, said processor Is counted by the reset unit, and when the determination unit determines that it is not in a runaway state, a counting unit that clears the count value to 0, and when the count value exceeds a predetermined number, In a power management apparatus that is connected to an electronic device that includes a transmission unit that increments the count value and transmits it to the outside together with a power-off request, and cuts off / restarts power supply from the power source to the electronic device. Receiving unit that receives the request, and when the receiving unit receives the power-off request, the power supply to the corresponding electronic device is cut off and then restarted After a lapse of time, a control unit that resumes the power supply and a voltage detection unit that detects whether or not the voltage of the power source is abnormal are detected by the voltage detection unit. In this case, the control unit is configured not to cut off the power supply to the electronic device .

In the fifth aspect of the present invention, the reset time interval is determined based on the number of times the processor is reset, so that it is possible to prevent the secondary failure from being repeated repeatedly.

The power management apparatus according to an eighth invention is connected to an electronic device according to the fifth shot bright, the blocking / resume power management device power supply from the power source to the electronic device, receiving a power-off request from the electronic device a reception unit for, when the receiver receives the power-off request, and then cut the power supply to the corresponding electronic device, after a lapse of a resumption time set, and resuming the control unit the power supply It is characterized by providing.

In the sixth, seventh and eighth inventions, when the power management apparatus receives a power cutoff request from the electronic device, the power management device cuts off the power supply to the corresponding electronic device. Then, after the set restart time has elapsed, the power supply is restarted. Therefore, the electronic device can automatically and quickly return to normal operation when the hardware abnormality has been resolved with time.

  The power management apparatus according to a ninth aspect is the power management apparatus according to the eighth aspect, wherein the receiving unit further receives a count value from the electronic device, and the control unit is configured to perform the restart according to the count value received by the receiving unit. It is configured to determine the time.

In the sixth and ninth inventions, a count value representing the cumulative number of times of resetting and restarting of power supply is received from the electronic device, and a time interval for restarting power supply is determined according to the count value. Thus, it is possible to prevent a secondary failure from being caused by repeated resetting.

  A power management apparatus according to a tenth aspect of the invention is characterized in that, in the eighth or ninth aspect, the control unit is configured to notify the outside that power supply to the electronic device has been cut off. .

  In the tenth aspect of the invention, the power management device generates and stores the fact that the power supply to the electronic device is interrupted, for example, as a diagnostic code related to the abnormality information, and the diagnostic device confirms the abnormality history later. The stored diagnosis code is read and used for diagnosis to notify the outside. Thereby, the electronic device in which an abnormality has occurred can be specified in advance. Or you may notify outside by turning on the warning lamp which shows abnormality. As a result, the driver can grasp the abnormality. In particular, if the electronic device is a device related to security, the driver should be informed that the security function is stopped.

  The power management apparatus according to an eleventh aspect of the present invention is the power management device according to any of the eighth to tenth aspects, further comprising a voltage detection unit that detects whether or not the voltage of the power source is abnormal, and the voltage detection unit abnormally detects the voltage. In the case where it is detected, the control unit is configured not to cut off the power supply to the electronic device.

In the seventh and eleventh inventions, the power management device does not cut off the power supply to the electronic device when the voltage of the power supply is abnormal. As a result, when a large current is required, such as when starting, the voltage becomes unstable, and it is considered normal operation that reset occurs continuously even though there is no abnormality in the hardware. Do not shut off the power supply to the device.

According to a twelfth aspect of the present invention, there is provided a control method executed when an electronic device including a processor is runaway when the processor is running out of control, a determination step for determining a runaway state of the processor, and a runaway state at the determination step. If it is determined that the processor is reset, the reset step for resetting the processor and the number of times the processor is reset in the reset step are counted. If the determination step determines that the processor is not in a runaway state, the count value is cleared to zero. A counting step, a power cut-off step for cutting off power supply to the processor when the count value exceeds a predetermined number of times, and a set standby time when the power supply is cut off at the power cut-off step after, resuming power resumption step the power supply, said power supply in said power resumption step resumes If it, characterized in that it comprises a second counting step of incrementing said count value, and determining the length / minor in accordance with the waiting time to a large / small of the counted value.

  In the twelfth invention, when the processor is continuously reset by the reset unit, the processor runaway is caused by a hardware failure, and the power supply to the processor is stopped assuming that the CPU does not return to normal operation. Then, after a predetermined time has elapsed, the power supply is resumed. Therefore, when the hardware abnormality has been resolved with the passage of time, the normal operation can be automatically and promptly restored.

  According to the present invention, when the cause of the processor runaway of the electronic device is a hardware failure, the power supply to the processor is stopped, and the power supply is resumed after a predetermined time. Therefore, when the hardware abnormality has been resolved with the passage of time, the normal operation can be automatically and promptly restored.

1 is a configuration diagram illustrating a configuration of an in-vehicle control system in Embodiment 1. FIG. 4 is a flowchart showing an example of a processing procedure executed when the CPU of the ECU in the first embodiment is running away. 6 is a configuration diagram showing a configuration of an in-vehicle control system in Embodiment 2. FIG. FIG. 6 is a configuration diagram showing a configuration of a power management ECU of an in-vehicle control system in a second embodiment. 6 is a flowchart showing an example of a processing procedure executed when the CPU of the ECU in the second embodiment is running out of control. 10 is a flowchart illustrating an example of a processing procedure executed by a power management ECU in the second embodiment.

Hereinafter, the present invention will be specifically described with reference to the drawings showing embodiments thereof. In the embodiment described below, a case where the electronic device according to the present invention is applied to an ECU included in an in-vehicle control system mounted on a vehicle will be described as an example.
(Embodiment 1)

  FIG. 1 is a configuration diagram showing the configuration of the in-vehicle control system in the first embodiment. In addition, in FIG. 1, a part of vehicle-mounted control system is shown.

  The vehicle-mounted control system includes an ECU 1, an ECU 2, a vehicle-mounted LAN 3 to which the ECUs 1 and 2 are connected, an ignition switch or accessory switch (IG, ACC in the figure) 4, and a voltage monitoring unit 5.

  The ECU 1 is, for example, a body ECU, and the ECU 2 is a navigation ECU, each of which transmits data including numerical information of various physical quantities such as measured values, calculated values, and control values, or controls the engine, brakes, and the like by a microcomputer. It is a control device. The ECUs 1 and 2 are both connected to the in-vehicle LAN 3, and the ECUs 1 and 2 can communicate control data and the like with each other.

The ECU 1 includes a microcomputer 100, a reset management unit 15, a power circuit 16, and a power switch unit 17. The microcomputer 100 includes a CPU 10, an EEPROM (Electrically Erasable Programmable Read Only Memory : registered trademark ) 11, a RAM (Random Access Memory) 12, an input / output unit 13, and a communication unit 14. The microcomputer 100 has IG and ACC terminals for inputting signals from the ignition switch and the accessory switch 4, and a RESET terminal for inputting a reset signal.

  The CPU 10 of the microcomputer 100 is based on a control program stored in a mask ROM (not shown). The body system actuator includes opening / closing of a mirror, turning on / off of a headlight, rear lamp, room lamp, opening / closing of a door lock, etc. Control processing, and signal processing including security processing such as information acquisition from the security sensor.

  The EEPROM 11 stores various types of information referred to in processing, such as user setting information. Note that the EEPROM 11 may be a flash memory or the like instead of the EEPROM.

  For the RAM 12, DRAM (Dynamic RAM), SRAM (Static RAM), or the like is used. The RAM 12 is loaded with a computer program such as a control program read by the CPU 10 and temporarily stores various information generated by the processing.

  The input / output unit 13 is an interface between the microcomputer 100 and the outside. The microcomputer 100 receives signals input from the IG terminal, ACC terminal, RESET terminal, etc. of the input / output unit 13, control signals from actuators such as mirrors, lights, door locks, sensor signals from door lock sensors and security sensors. Input and execute control processing based on each signal. The microcomputer 100 of the ECU 1 stops the operation of the microcomputer 100 as a whole including a crystal resonator (not shown) by interruption while the reset signal is continuously input to the RESET terminal (while the potential of the RESET terminal is GND). It is configured as follows. When the input of the reset signal is stopped and the potential of the RESET terminal becomes equal to or higher than the predetermined potential (when the input of the reset signal is completed), the operation is restarted.

  The communication unit 14 has a network controller function and realizes communication via the in-vehicle LAN 3 of the microcomputer 100. For example, communication conforming to a CAN (Controller Area Network) protocol is realized. In addition, LIN (Local Interconnect Network), FlexRay (registered trademark), or the like may be used. The CPU 10 can receive information transmitted from the ECU 2 to the in-vehicle LAN 3 via the communication unit 14, and can transmit information to the in-vehicle LAN 3 to be transmitted to the ECU 2. Note that a transceiver that realizes communication in the physical layer is not shown.

  The reset management unit 15 includes a WD monitoring unit (Watchdog unit) 151, a reset monitoring unit 152, and a storage unit 153. The WD monitoring unit 151 is a circuit for notifying the reset monitoring unit 152 whether or not the operation of the microcomputer 100 is normal. The WD monitoring unit 151 monitors a WD pulse that should be periodically output from the CPU 10. If the WD pulse is not periodically input, the WD monitoring unit 151 determines that an abnormality has occurred in the CPU 10 and outputs a reset signal (pulse). Input to the reset monitoring unit 152.

  The reset monitoring unit 152 is a circuit for monitoring the state of the reset signal. The reset monitoring unit 152 monitors the reset signal output from the WD monitoring unit 151, checks whether a continuous reset is performed, and if a reset has occurred continuously in a short time, It is determined whether or not is a continuous reset due to hardware abnormality. When the reset monitoring unit 152 determines that the reset is a continuous reset due to a hardware abnormality, the reset monitoring unit 152 counts the number of resets and saves it as the cumulative reset number n in the storage unit 153 and sends a power shutdown request to the power switch unit 17. Send. Further, when the reset monitoring unit 152 determines that the continuous reset is not performed, the reset monitoring unit 152 inputs a reset signal to the RESET terminal of the microcomputer 100. As a result, when the WD pulse is not periodically output from the CPU 10, the CPU 10 is interrupted, and the microcomputer 100 and the CPU 10 are reset. The reset monitoring unit 152 includes a reset interval timer (not shown). The storage unit 153 can be accessed by the diagnostic device 6 outside the vehicle.

  The power supply circuit 16 is a circuit that adjusts a voltage as necessary to distribute power from a +12 V power supply to each component in the microcomputer 100. When power is not supplied to the power supply circuit 16, the entire microcomputer 100 of the ECU 1 stops operating, including a crystal resonator (not shown) built in the microcomputer 100.

  The power switch unit 17 is configured to be able to switch power supply to the ECU 1 between on and off. One end of the power switch unit 17 is connected to a power supply device such as a + 12V battery or an alternator via the voltage monitoring unit 5, and the other end is connected to the power supply circuit 16 of the ECU 1. The power supply to the ECU 1 is switched on / off according to the shutoff request and the reset count n. The power switch unit 17 includes a restart timer (not shown).

  The ECU 2 includes a microcomputer 200, a reset management unit 25, a power circuit 26, and a power switch unit 27, similar to the ECU 1. The microcomputer 100 includes a CPU 20, an EEPROM 21, a RAM 22, an input / output unit 23, and a communication unit 24. The microcomputer 100 has IG and ACC terminals for inputting signals from the ignition switch and the accessory switch 4, and a RESET terminal for inputting a reset signal.

  The CPU 20 of the microcomputer 200 reads out map data, receives signals from a GPS antenna, a gyro device, a vehicle speed sensor, and a position of a road on the basis of a control program 22 stored in a mask ROM (not shown). Navigation system signal processing including information calculation and the like is executed.

  The EEPROM 21 stores various types of information referred to in processing, such as user setting information. The EEPROM 21 may be a flash memory or the like instead of the EEPROM.

  For the RAM 22, DRAM, SRAM or the like is used. In addition to loading a control program read by the CPU 20, the RAM 22 temporarily stores various information generated by the processing, such as variables used for calculation.

  The input / output unit 23 is an interface between the microcomputer 200 and the outside. The microcomputer 200 is a storage device such as a signal input from an IG terminal, an ACC terminal, a RESET terminal or the like of the input / output unit 23, a satellite positioning signal from a GPS antenna, a gyro device, a sensor signal from a vehicle speed sensor, or a CD-ROM. The map data from is input, and navigation processing is executed based on each signal. The microcomputer 200 of the ECU 2 is configured so that the operation of the microcomputer 200 as a whole including a crystal resonator (not shown) is stopped by an interrupt while the reset signal is continuously input to the RESET terminal. When the input of the reset signal is stopped and the potential of the RESET terminal becomes equal to or higher than a predetermined potential, the operation is resumed.

  The communication unit 24 has a network controller function and realizes communication via the in-vehicle LAN 3 of the microcomputer 200. This corresponds to the communication unit 14 of the ECU 1.

  The reset management unit 25 includes a WD monitoring unit 251, a reset monitoring unit 252, and a storage unit 253, and corresponds to the reset management unit 15 of the ECU 1. The WD monitoring unit 251 is a circuit for notifying the reset monitoring unit 252 whether or not the operation of the microcomputer 200 is normal, and corresponds to the WD monitoring unit 151 of the ECU 1. The WD monitoring unit 251 monitors the WD pulse that should be periodically output from the CPU 20, and if the WD pulse is not periodically input, the WD monitoring unit 251 determines that an abnormality has occurred in the CPU 20 and sends a reset signal to the reset monitoring unit. Input to 252.

  The reset monitoring unit 252 is a circuit for monitoring the state of the reset signal, and corresponds to the reset monitoring unit 152 of the ECU 1. The reset monitoring unit 252 monitors the reset signal output from the WD monitoring unit 251 and determines whether the reset is a continuous reset due to a hardware abnormality. If the reset monitoring unit 252 determines that the reset is a continuous reset due to a hardware abnormality, the reset monitoring unit 252 counts the number of resets and saves it as the cumulative reset number n in the storage unit 253 and sends a power shutdown request to the power switch unit 27. Send. Further, when the reset monitoring unit 252 determines that continuous reset is not performed, the reset monitoring unit 252 inputs a reset signal to the RESET terminal of the microcomputer 200. As a result, when the WD pulse is not periodically output from the CPU 20, the CPU 20 is interrupted and the microcomputer 200 and the CPU 20 are reset. The reset monitoring unit 252 includes a reset interval timer (not shown). The storage unit 253 can be accessed by the diagnostic device 6 outside the vehicle.

  The power supply circuit 26 is a circuit that adjusts the voltage as necessary to distribute power from the + 12V power supply to each component in the microcomputer 200. This corresponds to the power supply circuit 16 of the ECU 1.

  The power switch unit 27 is configured to be able to switch the supply of electric power to the ECU 2 between on and off, and corresponds to the power switch unit 17 of the ECU 1. One end of the power switch unit 27 is connected to a power supply device such as a + 12V battery or an alternator via the voltage monitoring unit 5, and the other end is connected to the power supply circuit 26 of the ECU 2. The power supply to the ECU 2 is switched on / off according to the cutoff request and the reset count n. The power switch unit 27 includes a restart timer (not shown).

  A processing procedure executed when the CPU 10 of the ECU 1 configured as described above runs away will be described with reference to a flowchart. FIG. 2 is a flowchart illustrating an example of a processing procedure executed when the CPU 10 of the ECU 1 according to the first embodiment is running out of control.

  The CPU 10 periodically outputs a WD pulse to the WD monitoring unit 151 when the power is turned on or when the input of the reset signal is completed and the operation is started. The WD monitoring unit 151 monitors a WD pulse that should be periodically output from the CPU 10 of the microcomputer 100, and determines whether or not the WD pulse has been periodically input (step S21). When the WD monitoring unit 151 determines that the WD pulse is periodically input (S21: YES), the WD monitoring unit 151 notifies the reset monitoring unit 152 that the WD pulse is normal, and the reset monitoring unit 152 is stored in the storage unit 153. The cumulative number of resets n is cleared to 0 (step S32), and the process ends.

  If the CPU 10 runs out of control, the output of the WD pulse is interrupted. In such a case, the WD monitoring unit 151 determines that the WD pulse is not periodically input (S21: NO), determines that an abnormality has occurred in the CPU 10, and inputs a reset signal to the reset monitoring unit 152. (Step S22). The reset monitoring unit 152 reads the cumulative reset count n stored in the storage unit 153, and determines whether or not a continuous reset has already been performed based on the cumulative reset count n (step S23). If the reset monitoring unit 152 determines that a continuous reset has not been performed (S23: NO), the process proceeds to step S31.

  In step S31, the reset monitoring unit 152 inputs a reset signal to the RESET terminal of the microcomputer 100, increments the cumulative reset count n, saves it in the storage unit 153, operates the reset interval timer, and ends the process. As a result, the CPU 10 is reset. Note that the timer time of the reset interval timer is set, for example, when the ECU 1 is shipped.

  On the other hand, when the reset monitoring unit 152 determines that a continuous reset has been performed (S23: YES), the reset monitoring unit 152 outputs a power-off request and the cumulative reset count n to the power switch unit 17.

  Normally, when an automobile requires a large current, such as when starting an engine, the voltage becomes unstable, and even if there is no abnormality in the hardware, the ECU operation rating may be interrupted and resets may occur continuously. However, since it is within the range of normal operation, it is excluded from the power supply control processing according to the present invention.

  Then, after receiving the power shutdown request and the cumulative reset count n, the power switch unit 17 determines whether or not the power supply voltage is normal in order to determine whether or not it is a continuous reset that can occur normally, such as an instantaneous battery interruption. The voltage monitoring unit 5 is requested to do this, and the voltage monitoring unit 5 determines whether the power supply voltage is normal (step S24).

  To determine whether the power supply voltage is normal, attach a voltage monitoring sensor to the battery and read it directly, calculate the battery capacity from the current value flowing through the ECU, or voltage drop state during past abnormalities The method of estimating the deterioration state of the battery can be used from the record.

  When the power supply switch unit 17 determines that the power supply voltage is abnormal (S24: NO), the process proceeds to step S30. In step S30, the reset monitoring unit 152 determines whether the timer time of the reset interval timer has timed out (time over). If the reset monitoring unit 152 determines that the timer time of the reset interval timer does not time out (S30: NO), it repeats step S30. S30 is repeated until it is determined that a timeout has occurred. If the reset monitoring unit 152 determines that the timer time of the reset interval timer has timed out (S30: YES), the reset monitoring unit 152 proceeds to step S31.

  On the other hand, when the power supply switch unit 17 determines that the power supply voltage is normal (S24: YES), the power supply switch unit 17 turns off the power supply to the ECU 1 (step S25). At that time, the power switch unit 17 generates abnormality information related to the power interruption and records it in the storage unit 153 in order to notify the outside that the power supply to the ECU 1 is interrupted due to a hardware abnormality (step S26). ).

  Specifically, the power switch unit 17 determines whether there is a diag code stored in the storage unit 153 that matches the diag code corresponding to the abnormality information. When the power switch unit 17 determines that there is no match with the diag code corresponding to the abnormality information, the power switch unit 17 sets the value of the corresponding diag code to 1 and stores the value that covers the diag code in the storage unit 153. When the power switch unit 17 determines that there is a match with the diag code corresponding to the abnormality information, the power switch unit 17 increments and updates the value of the corresponding diag code. The diagnostic device 6 reads out the diagnosis code stored in the storage unit 153 and uses it for diagnosis in order to confirm the history of abnormality later. When recording abnormal information, a warning sound, warning light, or character information indicating the content of the abnormal information may be output in order to inform the driver of the content of the abnormal information. As a result, the driver can grasp the abnormality. In particular, if the electronic device is a device related to security, the driver should be informed that the security function is stopped.

After turning off the power supply to the ECU 1, the power switch unit 17 sets the timer time of the restart timer based on the cumulative number of resets n received from the reset monitoring unit 152 and starts the restart timer (step) S27). In the first embodiment, the timer time of the restart timer is set to n ² which is the square of the cumulative number of resets n, but is not limited to this. For example, spontaneous discharge is completed from the discharge characteristics of the ECU 1 If the time required to do so is calculated and if it still does not recover even after retrying after the interval exceeds that time, it is judged that the probability of natural recovery is extremely low, and the interval is lengthened extremely. May be.

  Then, the power switch unit 17 determines whether the timer time of the restart timer has timed out (time over) (step S28). When determining that the timer time of the restart timer does not time out (S28: NO), the power switch unit 17 repeats step S28. Step S28 is repeated until it is determined that timeout has occurred. When the power switch unit 17 determines that the timer time of the restart timer has timed out (S28: YES), the process proceeds to step S29.

  In step S29, the power switch unit 17 increments the cumulative number of resets n and saves it in the storage unit 153 to turn on the power supply to the ECU 1. Thereby, the process is terminated.

  When power supply to the ECU 1 is resumed or reset, the CPU 10 resumes operation. At this time, if the hardware abnormality is resolved and normal operation can be performed, the CPU 10 periodically outputs a WD pulse to the WD monitoring unit 151. The WD monitoring unit 151 determines whether or not a WD pulse is periodically input (step S21). When the WD monitoring unit 151 determines that the WD pulse is periodically input (S21: YES), the cumulative reset count n stored in the storage unit 153 is cleared to 0 (step S32), and the process is terminated. To do.

  As described above, the processing procedure executed when the CPU 10 of the ECU 1 has runaway has been described in detail based on the drawings. However, when the CPU 20 of the ECU 2 has runaway, the same processing procedure is executed. Is omitted.

According to the first embodiment, when a CPU runaway is detected by the WD monitoring unit and the CPU is reset, the cause of the CPU runaway is a hardware failure and the CPU does not return to normal operation. Stop the power supply to the microcomputer. Then, the power supply to the ECU is turned on again at regular intervals, and the system is reset. Therefore, when the hardware abnormality has been resolved with the passage of time, the normal operation can be automatically and promptly restored. In addition, by setting the timer time of the restart timer based on the cumulative number of resets, it is possible to prevent a secondary failure from being caused by repeated resets. Furthermore, by generating or updating abnormality information related to power interruption, the diagnostic device 6 reads the stored diagnostic code and uses it for diagnosis in order to confirm the abnormality history later. As a result, the ECU in which the abnormality has occurred can be specified in advance.
(Embodiment 2)

  In the first embodiment, each of the ECUs 1 and 2 has a power switch unit, and is configured to independently execute the process when the CPU is running away. In contrast to this, in the second embodiment, the power supply management ECU switches the power supply to each ECU between on and off.

  FIG. 3 is a block diagram showing the configuration of the in-vehicle control system in the second embodiment, and FIG. 4 is a block diagram showing the configuration of the power management ECU 70 in FIG. FIG. 3 shows a part of the in-vehicle control system.

  The in-vehicle control system according to the second embodiment includes an ECU 7, an ECU 8, an ECU 9, an in-vehicle LAN 3 to which the ECUs 7 to 9 are connected, an ignition switch or accessory switch (IG, ACC in the figure) 4, and a voltage monitoring unit 5.

  The ECU 7 is a power management ECU. The ECU 8 is a body ECU like the ECU 2 in the first embodiment, and the ECU 9 is a navigation ECU like the ECU 2 in the first embodiment. The ECUs 7, 8, and 9 are all connected to the in-vehicle LAN 3, and the ECUs 7, 8, and 9 can communicate control data and the like with each other.

  The ECU 7 includes a microcomputer 700, a reset management unit 75, a power circuit 76, and a power switch unit 77. The microcomputer 700 includes a CPU 70, an EEPROM 71, a RAM 72, an input / output unit 73, and a communication unit 74. The microcomputer 700 has IG and ACC terminals for inputting signals from the ignition switch and the accessory switch 4, and a RESET terminal for inputting a reset signal.

  Based on a control program stored in a mask ROM (not shown), the CPU 70 of the microcomputer 700 executes signal processing including power distribution to the in-vehicle devices or charge / discharge control processing in the battery and alternator.

  The EEPROM 71 stores various types of information referred to in processing, such as user setting information. The EEPROM 71 may be a flash memory or the like instead of the EEPROM.

  For the RAM 72, DRAM, SRAM or the like is used. The RAM 72 is loaded with a computer program such as a control program read by the CPU 70 and temporarily stores various information generated by the processing.

  The input / output unit 73 is an interface between the microcomputer 700 and the outside. The microcomputer 700 executes control processing based on signals input from the IG terminal, the ACC terminal, the RESET terminal, and the like included in the input / output unit 73. Further, the microcomputer 700 switches the power supply to the ECU 8 and the ECU 9 between on and off based on the power-off request input from the ECU 8 and the ECU 9 via the input / output unit 73.

  The communication unit 74 has a network controller function and realizes communication via the in-vehicle LAN 3 of the microcomputer 700. For example, communication conforming to the CAN protocol is realized. In addition, LIN, FlexRay (registered trademark), or the like may be used. The CPU 70 can receive information transmitted from the ECUs 8 and 9 to the in-vehicle LAN 3 via the communication unit 74, and can transmit information to the in-vehicle LAN 3 to be transmitted to the ECUs 8 and 9. Note that a transceiver that realizes communication in the physical layer is not shown.

  The reset management unit 75 includes a WD monitoring unit 751, a reset monitoring unit 752, and a storage unit 753. The WD monitoring unit 751 is a circuit for notifying the reset monitoring unit 752 whether or not the operation of the microcomputer 700 is normal. The WD monitoring unit 751 monitors a WD pulse that should be periodically output from the CPU 70. If the WD pulse is not periodically input, the WD monitoring unit 751 determines that an abnormality has occurred in the CPU 70 and sends a reset signal to the reset monitoring unit. Input to 752.

  The reset monitoring unit 752 is a circuit for monitoring the state of the reset signal. The reset monitoring unit 752 monitors the reset signal output from the WD monitoring unit 751, confirms whether a continuous reset has been performed, and if a reset has occurred continuously in a short time, It is determined whether or not is a continuous reset due to hardware abnormality. When the reset monitoring unit 752 determines that the reset is a continuous reset due to a hardware abnormality, the reset monitoring unit 752 counts the number of resets and saves it as the cumulative reset number n in the storage unit 753, and sends a power shutdown request to the power switch unit 77. Send. Further, when the reset monitoring unit 752 determines that continuous reset is not performed, the reset monitoring unit 752 inputs a reset signal to the RESET terminal of the microcomputer 700. Thereby, when the WD pulse is not output periodically from the CPU 70, the CPU 70 is interrupted and the microcomputer 700 and the CPU 70 are reset. The reset monitoring unit 752 includes a reset interval timer (not shown).

  The power supply circuit 76 is a circuit that adjusts the voltage as necessary to distribute power from the +12 V power supply to each component in the microcomputer 700. When power is not supplied to the power supply circuit 76, the entire microcomputer 700 of the ECU 7 stops operating, including a crystal resonator (not shown) built in the microcomputer 700.

  The power switch unit 77 is configured to be able to switch the supply of power to the ECU 7 between on and off. One end of the power switch unit 77 is connected to a power supply device such as a + 12V battery or an alternator via the voltage monitoring unit 5, and the other end is connected to the power circuit 76 of the ECU 7. The power supply to the ECU 7 is switched on / off according to the cutoff request and the reset count n. The power switch unit 77 includes a restart timer (not shown).

  The ECU 8 includes a microcomputer 800, a reset management unit 85, a power circuit 86, and a power switch 87. The microcomputer 800 includes a CPU 80, an EEPROM 81, a RAM 82, an input / output unit 83, and a communication unit 84. The microcomputer 800 has IG and ACC terminals for inputting signals from the ignition switch and the accessory switch 4, and a RESET terminal for inputting a reset signal.

  The power switch 87 has three terminals, one is connected to a power supply circuit 86 of the ECU 8, one is connected to a power supply device such as a + 12V battery or an alternator, and the other one is grounded. The power switch 87 can switch the supply of electric power to the ECU 8 between on and off. As will be described later, the power switch 87 switches on / off the power supply to the ECU 8 in accordance with a control signal from the ECU 7.

  The functions of the CPU 80, the EEPROM 81, the RAM 82, the input / output unit 83, the communication unit 84, and the power supply circuit 86 of the ECU 8 are respectively the CPU 10, the EEPROM 11, the RAM 12, the input / output unit 13, the communication unit 14, and the power source of the ECU 1 according to the first embodiment. Since it is basically the same as the circuit 16, detailed description thereof is omitted. Hereinafter, the reset management unit 85 of the ECU 8 will be described in detail.

  The reset management unit 85 includes a WD monitoring unit 851, a reset monitoring unit 852, and a storage unit 853. The WD monitoring unit 851 is a circuit for notifying the reset monitoring unit 852 whether or not the operation of the microcomputer 100 is normal. The WD monitoring unit 851 monitors a WD pulse that should be periodically output from the CPU 80. If the WD pulse is not periodically input, the WD monitoring unit 851 determines that an abnormality has occurred in the CPU 80 and sends a reset signal to the reset monitoring unit. Input to 852.

  The reset monitoring unit 852 is a circuit for monitoring the state of the reset signal. The reset monitoring unit 852 monitors the reset signal output from the WD monitoring unit 851, confirms whether a continuous reset has been performed, and if a reset has occurred continuously in a short time, It is determined whether or not is a continuous reset due to hardware abnormality. If the reset monitoring unit 852 determines that the reset is a continuous reset due to a hardware abnormality, the reset monitoring unit 852 counts the number of resets and stores it as a cumulative reset number n in the storage unit 853 and transmits a power-off request to the ECU 7. In addition, when the reset monitoring unit 852 determines that continuous reset is not performed, the reset monitoring unit 852 inputs a reset signal to the RESET terminal of the microcomputer 800. Thereby, when the WD pulse is not output periodically from the CPU 80, the CPU 80 is interrupted and the microcomputer 800 and the CPU 80 are reset.

  The reset monitoring unit 852 includes a reset interval timer (not shown), determines that the reset is a continuous reset, transmits a power-off request to the ECU 7, and then sends the request to the ECU 8 within a predetermined period counted by the reset interval timer. If the power supply is not stopped, the reset signal is input to the RESET terminal of the microcomputer 800 to reset the microcomputer 800 and the CPU 80.

  The ECU 9 includes a microcomputer 900, a reset management unit 95, a power circuit 96, and a power switch 97. The microcomputer 900 includes a CPU 90, an EEPROM 91, a RAM 92, an input / output unit 93, and a communication unit 94. The microcomputer 900 has IG and ACC terminals for inputting signals from the ignition switch and the accessory switch 4, and a RESET terminal for inputting a reset signal.

  The power switch 97 has three terminals, one connected to a power supply circuit 96 of the ECU 9, one connected to a power supply device such as a + 12V battery or an alternator, and the other one grounded. The power switch 97 can switch the supply of electric power to the ECU 9 between on and off. As will be described later, the power switch 97 switches on / off the power supply to the ECU 9 by a control signal from the ECU 7.

  The functions of the CPU 90, the EEPROM 91, the RAM 92, the input / output unit 93, the communication unit 94, and the power supply circuit 96 of the ECU 9 are the CPU 20, the EEPROM 21, the RAM 22, the input / output unit 23, the communication unit 24, and the power source of the ECU 2 in the first embodiment, respectively. Since it is basically the same as the circuit 26, detailed description thereof is omitted. Hereinafter, the reset management unit 95 of the ECU 9 will be described in detail.

  The reset management unit 95 includes a WD monitoring unit 951, a reset monitoring unit 952, and a storage unit 953. The WD monitoring unit 951 is a circuit for notifying the reset monitoring unit 952 whether or not the operation of the microcomputer 900 is normal. The WD monitoring unit 951 monitors a WD pulse that should be periodically output from the CPU 90. If the WD pulse is not periodically input, the WD monitoring unit 951 determines that an abnormality has occurred in the CPU 90 and sends a reset signal to the reset monitoring unit. Input to 952.

  The reset monitoring unit 952 is a circuit for monitoring the state of the reset signal. The reset monitoring unit 952 monitors the reset signal output from the WD monitoring unit 951, checks whether a continuous reset has been performed, and if a reset has occurred continuously in a short time, It is determined whether or not is a continuous reset due to hardware abnormality. When the reset monitoring unit 952 determines that the reset is a continuous reset due to a hardware abnormality, the reset monitoring unit 952 counts the number of resets and stores it as a cumulative reset number n in the storage unit 953 and transmits a power-off request to the ECU 7. If the reset monitoring unit 952 determines that continuous reset has not been performed, the reset monitoring unit 952 inputs a reset signal to the RESET terminal of the microcomputer 900. As a result, when the WD pulse is not periodically output from the CPU 90, the CPU 90 is interrupted and the microcomputer 900 and the CPU 90 are reset.

  The reset monitoring unit 952 includes a reset interval timer (not shown), determines that the reset is a continuous reset, transmits a power-off request to the ECU 7, and then sends the request to the ECU 9 within a predetermined period of time counted by the reset interval timer. If the power supply is not stopped, a reset signal is input to the RESET terminal of the microcomputer 900 to reset the microcomputer 900 and the CPU 90.

  The functions of the reset management unit 75, the power supply circuit 76, and the power supply switch unit 77 of the ECU 7 configured as described above are respectively the reset management unit 15 (25) of the ECU 1 (2) and the power supply circuit 16 ( 26) and the power switch unit 17 (27), and the processing procedure executed when the CPU 70 of the ECU 7 runs out of control is basically the same as that of the ECU 1 (2) in the first embodiment. Since it is the same, detailed description is abbreviate | omitted.

  Hereinafter, a processing procedure executed when the CPUs 80 and 90 of the ECUs 8 and 9 configured as described above run away will be described with reference to flowcharts. FIG. 5 is a flowchart illustrating an example of a processing procedure executed when the CPU 80 of the ECU 8 in the second embodiment is running out of control. FIG. 6 is a flowchart illustrating an example of a processing procedure executed by the power management ECU in the second embodiment.

  The CPU 80 periodically outputs a WD pulse to the WD monitoring unit 851 when the power is turned on or when the input of the reset signal is completed and the operation is started. The WD monitoring unit 851 monitors the WD pulse that should be periodically output from the CPU 80 of the microcomputer 800, and determines whether or not the WD pulse is periodically input (step S51). When the WD monitoring unit 851 determines that the WD pulse is periodically input (S51: YES), the WD monitoring unit 851 notifies the reset monitoring unit 852 that the WD pulse is normal, and the reset monitoring unit 852 is stored in the storage unit 853. The cumulative reset count n is cleared to 0 (step S58), and the process is terminated.

  If the CPU 80 runs out of control, the output of the WD pulse is interrupted. In such a case, the WD monitoring unit 851 determines that the WD pulse is not periodically input (S51: NO), determines that an abnormality has occurred in the CPU 80, and inputs a reset signal to the reset monitoring unit 852. (Step S52). The reset monitoring unit 852 reads the cumulative reset count n stored in the storage unit 853, and determines whether or not a continuous reset has already been performed based on the cumulative reset count n (step S53). If the reset monitoring unit 852 determines that the continuous reset has not been performed (S53: NO), the process proceeds to step S56.

In step S56, the reset monitoring unit 852 increments the cumulative reset count n and saves it in the storage unit 853, and proceeds to step S57. In step S57, the reset monitoring unit 852 inputs a reset signal to the RESET terminal of the microcomputer 800, sets the timer time of the reset interval timer based on the cumulative reset count n, operates the reset interval timer, and ends the process. . As a result, the CPU 80 is reset. In the second embodiment, the timer time of the reset interval timer is set to a multiple 2n ² that is the square of the cumulative reset count n.

  On the other hand, when the reset monitoring unit 852 determines that a continuous reset has been performed (S53: YES), the reset monitoring unit 852 increments the cumulative reset count n and saves it in the storage unit 853. The number of times n and the power-off request are output to the ECU 7 (step S54).

  Then, the reset monitoring unit 852 determines whether or not the set reset interval has elapsed (whether or not the timer time of the reset interval timer has timed out) (step S55). If the reset monitoring unit 852 determines that the set reset interval has not elapsed (the timer time of the reset interval timer does not time out) (S55: NO), the determination of step S55 is repeated. If the reset monitoring unit 852 determines that the set reset interval has elapsed (the timer time of the reset interval timer has timed out) (S55: YES), the process proceeds to step S57. Thereby, when the electric power supply to ECU8 is not interrupted | blocked by ECU7 within the set reset interval, CPU80 is reset by step S57, and a process is complete | finished.

  On the other hand, the CPU 70 of the ECU 7 determines whether or not the input / output unit 73 has received the cumulative reset count n and the power-off request from the ECU 8 (step S61). If the CPU 70 determines in step S61 that the cumulative reset count n and the power-off request have not been received (S61: NO), the process ends. Since this process is repeatedly executed, the process returns to step S61, and step S61: NO is repeated until it is determined that a control request has been received.

  If the CPU 70 determines in step S61 that it has received the cumulative reset count n and the power shutoff request (S61: YES), the power supply voltage The voltage monitoring unit 5 is requested to determine whether the power supply voltage is normal, and the voltage monitoring unit 5 determines whether the power supply voltage is normal (step S62).

  When the CPU 70 determines that the power supply voltage is abnormal (S62: NO), the CPU 70 ends the process. On the other hand, when the CPU 70 determines that the power supply voltage is normal (S62: YES), the control signal is output by the input / output unit 73, the power switch 87 is turned off, and the power supply to the ECU 8 is turned off (step S63). ).

  At that time, the CPU 70 generates abnormality information related to the power interruption of the ECU 8 and records it in the EEPROM 71 by the communication unit 74 in order to notify the outside that the power supply to the ECU 8 is interrupted due to a hardware abnormality (step 71). S64).

  Specifically, the CPU 70 determines whether there is a diag code stored in the EEPROM 71 that matches the diag code corresponding to the abnormality information. If the CPU 70 determines that there is no match with the diagnostic code corresponding to the abnormality information, the CPU 70 sets the value of the corresponding diagnostic code to 1 and stores the value of the diagnostic code in the EEPROM 71. When the CPU 70 determines that there is a matching diag code corresponding to the abnormality information, the CPU 70 increments and updates the value of the corresponding diag code. The diagnostic device 6 reads out the diagnostic code stored in the EEPROM 71 and uses it for diagnosis in order to confirm the abnormality history later. When recording abnormal information, a warning sound, warning light, or character information indicating the content of the abnormal information may be output in order to inform the driver of the content of the abnormal information. As a result, the driver can grasp the abnormality. In particular, if the electronic device is a device related to security, the driver should be informed that the security function is stopped.

After the power supply to the ECU 8 is turned off, the CPU 70 sets the timer time of the power restart timer based on the cumulative reset count n received by the input / output unit 73 and starts the power restart timer (step S65). In the second embodiment, the timer time of the power resumption timer is set to n ² that is the square of the cumulative number of resets n.

  Then, the CPU 70 determines whether or not the timer time of the power restart timer has timed out (step S66). If the CPU 70 determines that the timer time of the power restart timer does not time out (S66: NO), it repeats step S66. S66 is repeated until it is determined that a time-out has occurred. When the CPU 70 determines that the timer time of the power restart timer has timed out (S66: YES), the CPU 70 proceeds to step S67.

  In step S67, the CPU 70 turns on the power switch 87 to turn on the power supply to the ECU 8. Thereby, the process is terminated.

  When power supply to the ECU 8 is resumed or reset, the CPU 80 resumes operation. At this time, if the hardware abnormality is resolved and normal operation can be performed, the CPU 80 periodically outputs a WD pulse to the WD monitoring unit 851. The WD monitoring unit 851 determines whether or not a WD pulse is periodically input (step S51). When the WD monitoring unit 851 determines that the WD pulse is periodically input (S51: YES), the cumulative reset count n stored in the storage unit 853 is cleared to 0 (step S58), and the process ends. To do.

  The processing procedure executed when the CPU 80 of the ECU 8 has runaway has been described in detail based on the drawings. However, the same processing procedure is executed when the CPU 90 of the ECU 9 has runaway. Is omitted.

  In the second embodiment, when a CPU runaway of the ECU is detected by the WD monitoring unit and the CPU is reset, the cause of the CPU runaway is a hardware failure and the CPU does not return to normal operation. Then, the power supply management ECU stops power supply to the ECU that is running out of control. Then, the power supply to the ECU is turned on again at a certain interval, and the system is reset. Therefore, when the hardware abnormality has been resolved with the passage of time, the normal operation can be automatically and promptly restored. In addition, by setting the timer time of the power restart timer based on the cumulative number of resets, it is possible to prevent the secondary failure from being repeated unnecessarily. Furthermore, by generating or updating abnormality information related to power interruption, the diagnostic device 6 reads the stored diagnostic code and uses it for diagnosis in order to confirm the abnormality history later. As a result, the ECU in which the abnormality has occurred can be specified in advance.

In the second embodiment, to set the timer time of the reset interval timer to the square of the multiples 2n ² cumulative reset count n, setting a timer time of the power resumption timer to the square of n ² of the cumulative number of resets n To do. As a result, when the power management ECU does not cut off the power supply to the ECU running out of control within the timer time of the power restart timer, the CPU of the ECU running out of control is reset when the timer time of the reset interval timer elapses. . Therefore, if the power management ECU itself is in failure or the power supply to the ECU that is running out of control due to a communication failure or the like is not cut off, the power management ECU is automatically reset. Note that by setting the timer times of the power restart timer and the reset interval timer based on the cumulative number of resets, it is possible to prevent a secondary failure from being repeated unnecessarily.

  Note that the setting of the timer time of each of the reset interval timer and the power restart timer is not limited to this, and the former may be made longer than the latter.

  Note that if the power supply to the runaway ECU is not shut off due to a failure of the power management ECU itself or an abnormality in communication, the ECU automatically resets. For example, if the power management ECU is also continuously reset, such as when starting, and the power supply to the runaway ECU is not shut off, the ECU resets even though the power supply is not shut off by the power management ECU To do. Therefore, when a large current is required, such as at the time of starting, if the voltage is unstable, the ECU can automatically and promptly shift to normal operation.

  In the first and second embodiments, when the cumulative reset count n is 0, it is determined that continuous reset has not been performed, and when the cumulative reset count n is greater than 0, it is determined that continuous reset has been performed. However, the present invention is not limited to this. For example, when the cumulative reset count n is 3 or less, it is determined that continuous reset is not performed. When the cumulative reset count n is greater than 3, continuous reset is performed. You may judge that it was.

  In the first and second embodiments, when the ECU is reset a plurality of times, for example, five times or more, a failure may be notified to the outside by a warning light or a beep.

  In Embodiment 1 and 2, the example which applied the control processing which concerns on this invention to ECU in a vehicle-mounted control system was shown. However, the present invention is not limited to this, and it is needless to say that the present invention may be applied to various control devices that can eliminate hardware abnormality by controlling power supply.

  The disclosed embodiments should be considered as illustrative in all points and not restrictive. The scope of the present invention is defined by the terms of the claims, rather than the description above, and is intended to include any modifications within the scope and meaning equivalent to the terms of the claims.

1 ECU (electronic device)
100 Microcomputer (processor)
151 WD monitoring unit (determination unit)
152 Reset monitoring unit (reset unit, counting unit)
17 Power switch (switch)
2 ECU (electronic device)
200 Microcomputer (processor)
251 WD monitoring unit (determination unit)
252 Reset monitoring unit (reset unit, counting unit)
27 Power switch (switch)
5 Voltage monitor (voltage detector)
7 ECU (Power Management Device)
700 Microcomputer (control unit)
73 Input / output unit (receiving unit)
8 ECU (electronic device)
800 Microcomputer (processor)
851 WD monitoring unit (determination unit)
852 Reset monitoring unit (reset unit, counting unit)
9 ECU (electronic device)
900 Microcomputer (processor)
951 WD monitoring unit (determination unit)
952 Reset monitoring unit (reset unit, counting unit)

Claims (12)

A switch for supplying / cutting off power from the power source;
A processor driven by power supplied by the switch;
A determination unit for determining a runaway state of the processor;
When it is determined that the determination unit is in a runaway state, in an electronic device including a reset unit that resets the processor,
When the processor counts the number of times reset by the reset unit and the determination unit determines that it is not a runaway state, the counter has a counting unit that clears the count value to 0,
If the counted value exceeds a predetermined number of times, the switch is to interrupt power supply to the processor, after a lapse of a waiting time set to resume the power supply,
When the power supply is resumed, the counter increments the count value,
The waiting time electronic apparatus characterized by are configured to so that the determined length / short depending on the large / small of the counted value. A switch for supplying / cutting off power from the power source;
A processor driven by power supplied by the switch;
A determination unit for determining a runaway state of the processor;
When it is determined that the determination unit is in a runaway state, in an electronic device including a reset unit that resets the processor,
When the processor counts the number of times reset by the reset unit and the determination unit determines that it is not a runaway state, the counter has a counting unit that clears the count value to 0,
If the counted value exceeds a predetermined number of times, the switch is to interrupt power supply to the processor, after a lapse of a waiting time set to resume the power supply,
A voltage detection unit for detecting whether the voltage of the power source is abnormal;
The electronic device , wherein the switch is configured not to cut off power supply to the processor when the voltage detection unit detects that the voltage is abnormal . The electronic apparatus according to claim 1, wherein the electronic apparatus is configured to notify the outside that power supply to the processor is cut off. A voltage detection unit for detecting whether the voltage of the power source is abnormal;
If the voltage is detected to be abnormal by said voltage detecting unit, wherein the switch is an electronic according to claim 1 or 3, characterized in that are not configured to cut off the power supply to the processor apparatus. A processor;
A determination unit for determining a runaway state of the processor;
When it is determined that the determination unit is in a runaway state, the reset unit for resetting the processor,
In an electronic device connected to a power management device that supplies / cuts off power from a power source,
When the processor counts the number of times reset by the reset unit and the determination unit determines that it is not in a runaway state, the processor further includes a counting unit that clears the count value to 0,
When the count value exceeds a predetermined number, the count value is incremented and transmitted to the power management apparatus together with a power shutdown request ,
The reset unit is configured to reset the processor after a standby time determined according to the count value has elapsed after transmitting the count value and the power-off request. apparatus. A processor;
A determination unit for determining a runaway state of the processor;
If the determination unit determines that it is in a runaway state, a reset unit that resets the processor ;
If the previous SL processor counts the number of times the reset by the reset unit, and determined not to be a runaway condition by the determination unit, a counting unit for clearing the count value to 0,
If the previous SL count exceeds a predetermined number, it is connected to an electronic device and a transmitter for transmitting increments the regimen numerical externally with power-off request,
In a power management device that cuts off / restarts power supply from a power source to the electronic device,
A receiver for receiving a power shutdown request from the electronic device;
A control unit that resumes the power supply after a set restart time has elapsed since the power supply to the corresponding electronic device is shut off when the receiving unit receives the power-off request;
The receiver further receives a count value from the electronic device;
Wherein, in response to said count value received by the receiver, the time to resume power management apparatus characterized by is arranged to determine. A processor;
A determination unit for determining a runaway state of the processor;
If the determination unit determines that it is in a runaway state, a reset unit that resets the processor ;
If the previous SL processor counts the number of times the reset by the reset unit, and determined not to be a runaway condition by the determination unit, a counting unit for clearing the count value to 0,
If the previous SL count exceeds a predetermined number, it is connected to an electronic device and a transmitter for transmitting increments the regimen numerical externally with power-off request,
In a power management device that cuts off / restarts power supply from a power source to the electronic device,
A receiver for receiving a power shutdown request from the electronic device;
When the receiving unit receives the power-off request, the control unit restarts the power supply after a set restart time has elapsed since the power supply to the corresponding electronic device is shut off.
A voltage detection unit that detects whether or not the voltage of the power source is abnormal,
If the voltage is detected to be abnormal by said voltage detecting unit, wherein the control unit power management apparatus characterized by are not configured to cut off the power supply to the electronic device. A power management device connected to the electronic device according to claim 5 for cutting off / resuming power supply from the power source to the electronic device.
A receiver for receiving a power shutdown request from the electronic device;
If the receiver receives the power-off request, characterized in that it comprises, and then cut the power supply to the corresponding electronic device, after a lapse of a resumption time set, and a resume control unit the power supply Power management device. The receiver further receives a count value from the electronic device;
The power management apparatus according to claim 8, wherein the control unit is configured to determine the restart time according to a count value received by the reception unit.   10. The power management apparatus according to claim 8, wherein the control unit is configured to notify the outside that power supply to the electronic device is cut off. A voltage detection unit for detecting whether the voltage of the power source is abnormal;
The control unit is configured not to cut off the power supply to the electronic device when the voltage detection unit detects that the voltage is abnormal. The power management apparatus according to item 1. In a control method executed when an electronic device comprising a processor is running out of control,
A determination step of determining a runaway state of the processor;
If it is determined in the determination step that the runaway state, a reset step for resetting the processor;
Counting the number of times the processor is reset in the reset step, and when determining that the processor is not in a runaway state in the determination step,
A power shut-off step of shutting off power supply to the processor when the count value exceeds a predetermined number of times;
When the power supply is cut off in the power cut-off step, a power restart step of restarting the power supply after a set standby time has elapsed ;
A second counting step for incrementing the count value when the power supply is resumed in the power resume step;
A step of determining the waiting time as long / short according to the magnitude of the count value .

Images