JP7070206B2 - In-vehicle control device - Google Patents

Description

The present disclosure relates to an in-vehicle control device.

In the in-vehicle control device, as a configuration for enhancing the safety of control, when the monitoring unit that monitors the operation of the arithmetic unit that performs control detects an abnormality in the arithmetic unit, the abnormality output of the arithmetic unit is stopped. Therefore, there is a configuration in which the arithmetic unit is reset.

Further, Patent Document 1 below describes a technique in which the operation of a control device is monitored by two monitoring devices, and the control device is reset when both of the two monitoring devices detect an abnormality in the control device. It has been disclosed.

Japanese Unexamined Patent Publication No. 2-142255

According to the technique of Patent Document 1, even if one of the two monitoring devices becomes abnormal and an attempt is made to reset the control device by mistake, if the other monitoring device is normal, the control device is not reset. Therefore, it is possible to suppress an erroneous reset of the control device. An erroneous reset is an erroneous reset of a normal one.

However, as a result of detailed examination by the inventor, the following problems have been found in the technique of Patent Document 1. The technique of Patent Document 1 is a technique that simply duplicates the monitoring of the control device. Therefore, it is necessary for the two monitoring devices to perform the same processing as monitoring processing for monitoring the control operation of the control device. Therefore, as the content of the monitoring process becomes more complicated, the processing load of both of the two monitoring devices increases.

Therefore, one aspect of the present disclosure is an in-vehicle control capable of suppressing an erroneous reset of the arithmetic unit that performs control while suppressing the processing load of another arithmetic unit related to the reset of the arithmetic unit that executes control. Provide the device.

The vehicle-mounted control device according to one aspect of the present disclosure includes a first calculation unit (1) that controls a controlled object in a vehicle, a second calculation unit (2) that monitors the control operation of the first calculation unit, and a first unit. 3 A calculation unit (3) and a logical product unit (4) are provided.

The AND unit outputs a reset request signal (R21) to the first calculation unit from the second calculation unit, and outputs a reset request signal (R31) to the first calculation unit from the third calculation unit. Reset the first arithmetic unit.

When the second calculation unit detects an abnormality in the first calculation unit, the second calculation unit outputs a reset request signal for the first calculation unit to the logical product unit, and the second calculation unit outputs a reset request signal for the first calculation unit. A notification signal (X) indicating that it has been output is output to the third calculation unit.

When the notification signal from the second calculation unit is input, the third calculation unit outputs a reset request signal for the first calculation unit to the logical product unit.
According to such a configuration, even if an abnormality occurs in the second calculation unit that monitors the first calculation unit and the second calculation unit outputs a reset request signal to the first calculation unit even though the first calculation unit is normal. If the notification signal is not output, the third arithmetic unit does not output the reset request signal to the first arithmetic unit. Therefore, an erroneous reset of the first calculation unit is avoided. Further, the second calculation unit monitors the control operation of the first calculation unit, but the third calculation unit does not have to perform the same monitoring as the second calculation unit. Therefore, among the second and third calculation units related to the reset of the first calculation unit that performs control, it is possible to suppress the erroneous reset of the first calculation unit while suppressing the processing load of the third calculation unit.

Further, in the vehicle-mounted control device according to the other aspect of the present disclosure, the first calculation unit (1) for controlling the controlled object in the vehicle and the second calculation unit (2) for monitoring the control operation of the first calculation unit are also used. ), A third arithmetic unit (3), and a logical product unit (4).

When the AND unit outputs a reset request signal (R21) to the first arithmetic unit from the second arithmetic unit and outputs a reset request signal (R31) to the first arithmetic unit from the third arithmetic unit. In addition, the first arithmetic unit is reset.

When the second calculation unit detects an abnormality in the first calculation unit, the second calculation unit outputs a reset request signal to the first calculation unit to the AND unit. Further, the reset request signal output from the second calculation unit is configured to be input to the third calculation unit as well.

The third calculation unit monitors the operation of the second calculation unit. Then, only when the third calculation unit has not detected an abnormality in the second calculation unit, the reset request signal to the first calculation unit is provided on the condition that the reset request signal from the second calculation unit is input. Is output to the logical product section.

According to such a configuration, when an abnormality occurs in the second calculation unit that monitors the first calculation unit, and the second calculation unit outputs a reset request signal to the first calculation unit even though the first calculation unit is normal. In addition, the third calculation unit does not output a reset request signal to the first calculation unit by detecting an abnormality in the second calculation unit. Therefore, an erroneous reset of the first calculation unit is avoided. Further, the second arithmetic unit monitors the control operation of the first arithmetic unit, but the third arithmetic unit need only be able to monitor that the monitoring of the first arithmetic unit by the second arithmetic unit is working. Therefore, the processing content of the third arithmetic unit can be simpler than the processing content of the second arithmetic unit. Therefore, among the second and third calculation units related to the reset of the first calculation unit that performs control, it is possible to suppress the erroneous reset of the first calculation unit while suppressing the processing load of the third calculation unit.

In addition, the reference numerals in parentheses described in this column and the scope of claims indicate the correspondence with the specific means described in the embodiment described later as one embodiment, and the technical scope of the present disclosure is defined. It is not limited.

It is a block diagram which shows the structure of the vehicle-mounted control device of 1st Embodiment. It is a flowchart of the signal output processing which the arithmetic unit 2 of 1st Embodiment performs about the reset of the arithmetic unit 1. It is a flowchart of the signal output processing which the arithmetic unit 3 of 1st Embodiment performs about the reset of the arithmetic unit 1. It is a block diagram which shows the structure of the vehicle-mounted control device of 2nd Embodiment. It is a flowchart of the signal output processing which the arithmetic unit 3 of 2nd Embodiment performs about the reset of the arithmetic unit 1. In the second embodiment, it is a time chart showing an operation example when an abnormality occurs in the calculation unit 1. In the second embodiment, it is a time chart showing an operation example when an abnormality occurs in the calculation unit 2. It is a block diagram which shows the structure of the vehicle-mounted control device of 3rd Embodiment. It is a flowchart of the mode switching process performed by the calculation unit 1 of the third embodiment. It is a block diagram which shows the structure of the vehicle-mounted control device of 4th Embodiment. It is a flowchart of the signal output processing which the arithmetic unit 1 of 4th Embodiment performs about the reset of the arithmetic unit 2. It is a flowchart of the signal output processing which the arithmetic unit 3 of 4th Embodiment performs about the reset of the arithmetic unit 2. It is a block diagram which shows the structure of the vehicle-mounted control device of 5th Embodiment. It is a flowchart of the signal output processing which the arithmetic unit 3 of 5th Embodiment performs about the reset of the arithmetic unit 2. It is a block diagram which shows the structure of the vehicle-mounted control device of 6th Embodiment. 6 is a flowchart of a signal output process performed by the calculation unit 2 of the sixth embodiment regarding the reset of the calculation unit 1. 6 is a flowchart of a signal output process performed by the calculation unit 3 of the sixth embodiment regarding the reset of the calculation unit 1. It is a block diagram which shows the structure of the vehicle-mounted control device of 7th Embodiment. It is a block diagram which shows the structure of the vehicle-mounted control device of 8th Embodiment. It is a flowchart of the signal output processing which the arithmetic unit 1 of 8th Embodiment performs about the reset of the arithmetic unit 2. It is a flowchart of the signal output processing which the arithmetic unit 3 of 8th Embodiment performs about the reset of the arithmetic unit 2.

Hereinafter, embodiments of the present disclosure will be described with reference to the drawings.
[1. First Embodiment]
[1-1. Constitution]
The vehicle-mounted control device 11 of the first embodiment shown in FIG. 1 includes three calculation units 1 to 3. Each of the calculation units 1 to 3 may be an electronic control device, may be mounted on different electronic control devices, or may be mounted on one electronic control device. When each of the arithmetic units 1 to 3 is an electronic control device or is mounted on a different electronic control device, it can be said that the vehicle-mounted control device 11 is an in-vehicle control system including a plurality of electronic control devices. Further, when the arithmetic units 1 to 3 are mounted on one electronic control device, it can be said that this one electronic control device is the in-vehicle control device 11. The in-vehicle control device 11 further includes a logical AND circuit 4 as a logical product unit.

Each of the arithmetic units 1 to 3 includes a microcomputer having CPUs 1a, 2a, 3a and semiconductor memories (hereinafter, memory) 1b, 2b, 3b such as RAM or ROM. Each function of the arithmetic units 1 to 3 is realized by executing a program in which the CPUs 1a, 2a, and 3a are stored in the non-transitional substantive recording medium. In this example, the memories 1b, 2b, and 3b correspond to the non-transitional substantive recording medium in which the program is stored. In addition, when this program is executed, the method corresponding to the program is executed. Further, the arithmetic units 1 to 3 may be provided with one microcomputer or may be provided with a plurality of microcomputers.

The calculation unit 1 has a function of controlling a controlled object in the vehicle. The control target may be, for example, a device classified into a power train such as an engine or a transmission, or may be a braking device, a steering device, or the like.

The calculation unit 2 has a monitoring function for the calculation unit 1. The monitoring function for the calculation unit 1 is a function for monitoring the control operation of the calculation unit 1, and may be any function as long as it can detect that the control operation of the calculation unit 1 has become abnormal.

For example, the arithmetic unit 2 gives predetermined test data to the arithmetic unit 1, and gives the arithmetic unit 1 a specific arithmetic process that is a part or all of the arithmetic processes performed to control the controlled object. The test data is used as an input value. Then, the calculation unit 2 inputs the calculation result by the calculation unit 1 from the calculation unit 1, and compares the calculation result with the expected value corresponding to the test data to determine whether the control operation of the calculation unit 1 is normal or not. Monitor. Further, for example, the arithmetic unit 2 performs the same arithmetic processing as the specific arithmetic processing performed by the arithmetic unit 1, and compares the arithmetic result of the specific arithmetic processing by the arithmetic unit 1 with the arithmetic result by the arithmetic unit 2. Therefore, the control operation of the arithmetic unit 1 may be monitored. Further, for example, the calculation unit 2 may monitor the control operation of the calculation unit 1 by determining whether or not the calculation result of the predetermined calculation process input from the calculation unit 1 is within the normal range.

The AND circuit 4 is a circuit that outputs a AND signal of two input signals.
[1-2. signal]
A reset request signal R21 for the arithmetic unit 1 is output from the arithmetic unit 2 to the first input terminal which is one input terminal of the logical product circuit 4. Further, the reset request signal R31 for the arithmetic unit 1 is output from the arithmetic unit 3 to the second input terminal which is the other input terminal of the AND circuit 4. If x is the code of the calculation unit of the signal output source and y is the code of the calculation unit of the signal output destination, it means that the reset request signal Rxy is a reset request signal from the calculation unit x to the calculation unit y. do.

Further, a notification signal X indicating that the calculation unit 2 has output the reset request signal R21 is output from the calculation unit 2 to the calculation unit 3. It can also be said that the notification signal X is a signal (that is, abnormality information) indicating that the calculation unit 2 has detected an abnormality in the calculation unit 1.

The AND circuit 4 outputs a reset signal to the calculation unit 1 when the reset request signal R21 is output from the calculation unit 2 and the reset request signal R31 is output from the calculation unit 3. That is, the output signal of the AND circuit 4 is the reset input signal RST1 of the arithmetic unit 1.

In the present embodiment, outputting a signal means making the signal an active level. Further, in the present embodiment, the active level of the signal is high, but it may be low.

In the following description, "ON" with respect to a signal means that the signal is at the active level, that is, the signal is output. Further, "OFF" with respect to a signal means that the signal is at an inactive level, that is, the signal is not output.

[1-3. process]
[1-3-1. Processing of arithmetic unit 2]
The calculation unit 2 performs the signal output process of FIG. 2 with respect to the reset of the calculation unit 1, for example, at predetermined time intervals.

As shown in FIG. 2, when the signal output process is started, the calculation unit 2 determines whether or not the abnormality of the calculation unit 1 is detected by the monitoring function for the calculation unit 1 in S110. If the arithmetic unit 2 has not detected an abnormality in the arithmetic unit 1, the arithmetic unit 2 turns off the reset request signal R21 to the AND circuit 4 in S120, and sends a notification signal X to the arithmetic unit 3 in S130. Turn off. After that, the calculation unit 2 ends the signal output processing.

Further, when the calculation unit 2 determines that the abnormality of the calculation unit 1 is detected in the above S110, the calculation unit 2 turns on the reset request signal R21 to the AND circuit 4 in S140, and calculates in S150. The notification signal X to the unit 3 is turned on. After that, the calculation unit 2 ends the signal output processing.

That is, when the arithmetic unit 2 detects an abnormality in the arithmetic unit 1, it turns on the reset request signal R21 and turns on the notification signal X.
[1-3-2. Processing of arithmetic unit 3]
The calculation unit 3 performs the signal output process of FIG. 3 with respect to the reset of the calculation unit 1, for example, at predetermined time intervals.

As shown in FIG. 3, when the calculation unit 3 starts the signal output process, S210 determines whether or not the notification signal X from the calculation unit 2 is ON, and if the notification signal X is not ON, the calculation unit 3 determines whether or not the notification signal X is ON. , S220 turns off the reset request signal R31 to the AND circuit 4. After that, the calculation unit 3 ends the signal output process.

Further, when the calculation unit 3 determines in S210 that the notification signal X is ON, the arithmetic unit 3 turns on the reset request signal R31 to the AND circuit 4 in S230, and then performs the signal output processing. To finish.

That is, the calculation unit 3 turns on the reset request signal R31 when the notification signal X from the calculation unit 2 is input. Then, when both the reset request signal R21 from the arithmetic unit 2 and the reset request signal R31 from the arithmetic unit 3 are turned ON, the reset input signal RST1 from the AND circuit 4 to the arithmetic unit 1 is turned ON. The arithmetic unit 1 is reset.

[1-4. effect]
According to the first embodiment described in detail above, the following effects are obtained.
(1a) An abnormality occurs in the arithmetic unit 2 that monitors the arithmetic unit 1, and even if the arithmetic unit 1 outputs a reset request signal R21 to the arithmetic unit 1 even though the arithmetic unit 1 is normal, the notification signal X must be output. , The arithmetic unit 3 does not output the reset request signal R31 for the arithmetic unit 1. Therefore, an erroneous reset of the calculation unit 1 is avoided. For example, in the calculation unit 2, even if the signal output unit for outputting the reset request signal R21 fails and the reset request signal R21 is erroneously output, if the notification signal X is not output, the calculation unit 1 resets. Not done. Further, the arithmetic unit 2 monitors the control operation of the arithmetic unit 1, but the arithmetic unit 3 does not have to monitor the same control operation as the arithmetic unit 2. Therefore, among the calculation units 2 and 3 related to the reset of the calculation unit 1 that performs control, it is possible to suppress the erroneous reset of the calculation unit 1 while suppressing the processing load of the calculation unit 3.

In this embodiment, the calculation unit 1 corresponds to the first calculation unit, the calculation unit 2 corresponds to the second calculation unit, and the calculation unit 3 corresponds to the third calculation unit.
On the other hand, although the arithmetic unit 3 may be additionally provided, the existing arithmetic unit having a function different from the arithmetic units 1 and 2 may be provided with the function of the arithmetic unit 3.

[2. Second Embodiment]
[2-1. Differences from the first embodiment]
Since the basic configuration of the second embodiment is the same as that of the first embodiment, the differences from the first embodiment will be described below. It should be noted that the same reference numerals as those in the first embodiment indicate the same configuration, and the preceding description will be referred to.

In the vehicle-mounted control device 11 of the second embodiment shown in FIG. 4, as compared with the first embodiment, the calculation unit 3 further includes a monitoring function for the calculation unit 2. The monitoring function for the calculation unit 2 is a function for monitoring the operation of the calculation unit 2, and may be any function as long as it can detect that the operation of the calculation unit 2 has become abnormal. The operation of the arithmetic unit 2 referred to here is an operation of monitoring the arithmetic unit 1.

The monitoring of the arithmetic unit 2 may be performed by a simpler method than the monitoring of the arithmetic unit 1 by the arithmetic unit 2 because the monitoring of the arithmetic unit 2 only needs to be able to monitor that the monitoring of the arithmetic unit 1 is working. .. For example, the calculation unit 3 monitors the output interval of the watch dog pulse output by the calculation unit 2 by the periodic execution of the predetermined program, or the calculation unit 2 counts up and outputs the output by the periodic execution of the predetermined program. The operation of the arithmetic unit 2 may be monitored by monitoring the change state of the counter value.

Further, the arithmetic unit 3 performs the signal output processing of FIG. 5 instead of the signal output processing of FIG.
In the signal output process of FIG. 5, as compared with the signal output process of FIG. 3, the processes of S200 and S215 are performed instead of S210.

[2-2. Processing of arithmetic unit 3]
As shown in FIG. 5, when the signal output process is started, the arithmetic unit 3 determines whether or not the abnormality of the arithmetic unit 2 is detected by the monitoring function for the arithmetic unit 2 in S200, and the abnormality of the arithmetic unit 2 is determined. Is detected, the reset request signal R31 to the AND circuit 4 is turned off in S220. After that, the calculation unit 3 ends the signal output process.

Further, when the calculation unit 3 determines that the abnormality of the calculation unit 2 has not been detected in the above S200, the notification signal X from the calculation unit 2 is continuously turned on for a certain period of time or longer in S215. Judge whether or not. That is, the calculation unit 3 determines whether or not the time during which the notification signal X from the calculation unit 2 has been continuously input has exceeded a certain period of time. This fixed time is set to be longer than the design time required for the calculation unit 3 to detect the abnormality of the calculation unit 2.

When the calculation unit 3 determines in S215 that the notification signal X has not been turned on for a certain period of time or longer, the calculation unit 3 proceeds to S220 and turns off the reset request signal R31. Further, when the calculation unit 3 determines in S215 that the notification signal X has been turned on for a certain period of time or longer, the calculation unit 3 determines that the normal calculation unit 2 has turned on the notification signal X, and proceeds to S230. .. Then, the calculation unit 3 turns on the reset request signal R31 in S230, and then ends the signal output process.

As described above, the arithmetic unit 3 sets the reset request signal R31 to the AND circuit 4 on condition that the notification signal X from the arithmetic unit 2 is input only when the abnormality of the arithmetic unit 2 is not detected. It is designed to output to.

[2-3. Operation example]
An operation example when an abnormality occurs in the calculation unit 1 will be described with reference to FIG. Further, an operation example when an abnormality occurs in the calculation unit 2 will be described with reference to FIG. 7. In FIGS. 6 and 7, S1 is the state of the calculation unit 1, and S2 is the state of the calculation unit 2. Further, W21 is a monitoring result of the calculation unit 1 by the calculation unit 2, and W32 is a monitoring result of the calculation unit 2 by the calculation unit 3. And each of W21 and W32 indicates that the high level detected the abnormality.

As shown in FIG. 6, it is assumed that the arithmetic unit 1 becomes abnormal at time t0. In this case, the arithmetic unit 2 detects an abnormality in the arithmetic unit 1 at time t1 and executes S140 and S150 in FIG. 2 to turn on the reset request signal R21 and the notification signal X. After that, the arithmetic unit 3 determines that the notification signal X has been turned on for a certain period of time or longer in S215 of FIG. 5, and turns on the reset request signal R31 by executing S230 of FIG. 5 at time t2. .. Then, the reset input signal RST1 from the AND circuit 4 to the arithmetic unit 1 is turned ON, and the arithmetic unit 1 is reset. In this way, when the calculation unit 1 is abnormal, the calculation unit 1 is correctly reset by the operations of the calculation units 2 and 3.

On the other hand, as shown in FIG. 7, it is assumed that the arithmetic unit 2 becomes abnormal at time t3. In this case, the reset request signal R21 and the notification signal X from the calculation unit 2 are undefined. After that, the calculation unit 3 detects an abnormality in the calculation unit 2 at time t4. The time from when the calculation unit 2 becomes abnormal until the calculation unit 3 detects the abnormality in the calculation unit 2 is shorter than the above-mentioned fixed time. Therefore, even if the notification signal X from the abnormal calculation unit 2 is turned on, the calculation unit 3 does not execute S230 in FIG. 5 and leaves the reset request signal R31 OFF. Therefore, the calculation unit 1 continues to operate without being erroneously reset due to an abnormality in the calculation unit 2.

[2-4. effect]
According to the second embodiment described in detail above, the same effect as the effect (1a) described for the first embodiment is obtained, and the following effects are also obtained.

(2a) The arithmetic unit 3 monitors the operation of the arithmetic unit 2 and resets only when the abnormality of the arithmetic unit 2 is not detected, on condition that the notification signal X from the arithmetic unit 2 is input. The request signal R31 is output to the AND circuit 4. Therefore, even if the arithmetic unit 2 becomes abnormal and both the reset request signal R21 and the notification signal X are output, the arithmetic unit 3 does not output the reset request signal R31, and the erroneous reset of the arithmetic unit 1 is avoided. .. Further, by making the determination of S215 in FIG. 5, the certainty of avoiding an erroneous reset is increased. Then, as described above, the monitoring of the calculation unit 2 by the calculation unit 3 may be a simpler method than the monitoring of the calculation unit 1 by the calculation unit 2. Therefore, the processing content of the calculation unit 3 can be simpler than the processing content of the calculation unit 2. Therefore, it is possible to suppress the erroneous reset of the calculation unit 1 while suppressing the processing load of the calculation unit 3.

[3. Third Embodiment]
[3-1. Differences from the second embodiment]
Since the basic configuration of the third embodiment is the same as that of the second embodiment, the differences from the second embodiment will be described below. It should be noted that the same reference numerals as those of the second embodiment indicate the same configuration, and the preceding description will be referred to.

In the vehicle-mounted control device 11 of the third embodiment shown in FIG. 8, the calculation unit 1 has a monitoring function for the calculation unit 2 as compared with the second embodiment. That is, the arithmetic unit 1 and the arithmetic unit 2 are in a relationship of mutually monitoring.

As described above, the monitoring function for the arithmetic unit 2 may be a simpler method than the monitoring of the arithmetic unit 1 by the arithmetic unit 2 because it is sufficient that the arithmetic unit 2 can monitor the arithmetic unit 1 as long as it is working. Therefore, the arithmetic unit 1 is, for example, by a method similar to the monitoring performed by the arithmetic unit 3 of the second embodiment on the arithmetic unit 2, that is, by monitoring the output interval of the watchdog pulse, the change state of the counter value, and the like. , Monitor the operation of the arithmetic unit 2.

Further, the calculation unit 1 performs the mode switching process of FIG. 9, for example, at predetermined time intervals.
[3-2. Mode switching process of arithmetic unit 1]
As shown in FIG. 9, when the mode switching process is started, the calculation unit 1 determines whether or not an abnormality in the calculation unit 2 is detected by the monitoring function for the calculation unit 2 in S310.

When the calculation unit 1 determines that the abnormality of the calculation unit 2 has not been detected in the above S310, the calculation unit 1 is set to the mode in which the normal control (that is, normal control) of the controlled object is performed in the S330, and then the mode is set. The mode switching process is terminated. Since the operation mode (that is, the basic mode) from the start of the arithmetic unit 1 is a mode for performing normal control, S330 may not be necessary.

Further, when the calculation unit 1 determines in S310 that an abnormality in the calculation unit 2 is detected, the calculation unit 1 switches to a mode (that is, a fail-safe mode) in which fail-safe measures are performed instead of normal control in S320. After that, the mode switching process is terminated.

In the fail-safe mode, the calculation unit 1 implements control for putting the vehicle in a safe state as a fail-safe measure. For example, if the calculation unit 1 controls the electronic throttle that adjusts the intake air amount of the engine, in the fail-safe mode, the calculation unit 1 performs a procedure for forcibly cutting the drive signal or the drive power to the electronic throttle to reduce the intake air amount. Minimize the amount required to run the engine. Further, for example, if the calculation unit 1 controls the fuel injection of the engine, in the fail-safe mode, the calculation unit 1 performs a measure of forcibly cutting the drive signal or the drive power to the injector to stop the engine.

[3-3. effect]
The arithmetic unit 1 monitors the operation of the arithmetic unit 2, and when an abnormality in the arithmetic unit 2 is detected, the operation unit 1 switches to a mode in which a fail-safe measure is executed. Therefore, it is possible to suppress the possibility that the arithmetic unit 1 fails after the arithmetic unit 2 fails and the vehicle goes into an unexpected state due to an unexpected operation of the unmonitored arithmetic unit 1. can.

The matter of the third embodiment may be applied to the in-vehicle control device 11 of the first embodiment.
[4. Fourth Embodiment]
[4-1. Differences from the third embodiment]
Since the basic configuration of the fourth embodiment is the same as that of the third embodiment, the differences from the third embodiment will be described below. It should be noted that the same reference numerals as those in the third embodiment indicate the same configuration, and the preceding description will be referred to.

The in-vehicle control device 11 of the fourth embodiment shown in FIG. 10 is different from the third embodiment in the following points <4-1a> to <4-1c>.
<4-1a> A logical product circuit 5 is further provided. The AND circuit 5 is a circuit that outputs a AND signal of two input signals, similarly to the AND circuit 4.

Then, the reset request signal R12 for the arithmetic unit 2 is output from the arithmetic unit 1 to the first input terminal which is one input terminal of the logical product circuit 5. Further, the reset request signal R32 for the arithmetic unit 2 is output from the arithmetic unit 3 to the second input terminal which is the other input terminal of the AND circuit 5.

Further, a notification signal Y indicating that the calculation unit 1 has output the reset request signal R12 is output from the calculation unit 1 to the calculation unit 3. It can also be said that the notification signal Y is a signal (that is, abnormality information) indicating that the calculation unit 1 has detected an abnormality in the calculation unit 2.

The AND circuit 5 outputs a reset signal to the calculation unit 2 when the reset request signal R12 is output from the calculation unit 1 and the reset request signal R32 is output from the calculation unit 3. That is, the output signal of the AND circuit 5 is the reset input signal RST2 of the arithmetic unit 2.

<4-1b> The calculation unit 1 performs the signal output processing of FIG. 11 with respect to the reset of the calculation unit 2, for example, at predetermined time intervals. The signal output process of FIG. 11 is the same process as the signal output process of FIG.

As shown in FIG. 11, when the signal output process is started, the arithmetic unit 1 determines whether or not an abnormality in the arithmetic unit 2 is detected by the monitoring function for the arithmetic unit 2 in S410. If the arithmetic unit 1 has not detected an abnormality in the arithmetic unit 2, the arithmetic unit 1 turns off the reset request signal R12 to the AND circuit 5 in S420, and sends a notification signal Y to the arithmetic unit 3 in S430. Turn off. After that, the arithmetic unit 1 ends the signal output processing.

Further, when the calculation unit 1 determines that the abnormality of the calculation unit 2 is detected in the above S410, the calculation unit 1 turns on the reset request signal R12 to the AND circuit 5 in S440, and calculates in S450. The notification signal Y to the unit 3 is turned on. After that, the arithmetic unit 1 ends the signal output processing.

That is, when the arithmetic unit 1 detects an abnormality in the arithmetic unit 2, it turns on the reset request signal R12 and turns on the notification signal Y.
<4-1c> The calculation unit 3 performs the signal output processing of FIG. 12 with respect to the reset of the calculation unit 2, for example, at predetermined time intervals. The signal output process of FIG. 12 is the same process as the signal output process of FIG.

As shown in FIG. 12, when the calculation unit 3 starts the signal output process, S510 determines whether or not the notification signal Y from the calculation unit 1 is ON, and if the notification signal Y is not ON, the calculation unit 3 determines whether or not the notification signal Y is ON. , S520 turns off the reset request signal R32 to the AND circuit 5. After that, the calculation unit 3 ends the signal output process.

Further, when the calculation unit 3 determines in S510 that the notification signal Y is ON, the arithmetic unit 3 turns on the reset request signal R21 to the AND circuit 5 in S530, and then performs the signal output processing. To finish.

That is, the calculation unit 3 turns on the reset request signal R32 when the notification signal Y from the calculation unit 1 is input. Then, when both the reset request signal R12 from the arithmetic unit 1 and the reset request signal R32 from the arithmetic unit 3 are turned ON, the reset input signal RST2 from the AND circuit 5 to the arithmetic unit 2 is turned ON. The arithmetic unit 2 is reset.

[4-2. effect]
In the fourth embodiment, when the calculation unit 1 detects an abnormality in the calculation unit 2, the calculation unit 2 is reset. Therefore, when the arithmetic unit 2 becomes abnormal, the abnormal output of the arithmetic unit 2 is blocked by the reset, and the arithmetic unit 1 performs the above-mentioned fail-safe measure.

Then, regarding the reset of the calculation unit 2, the calculation unit 1 plays the same role as the calculation unit 2 of the first embodiment regarding the reset of the calculation unit 1.
Further, regarding the reset of the calculation unit 2, the calculation unit 3 plays the same role as the calculation unit 3 of the first embodiment regarding the reset of the calculation unit 1.

Further, regarding the reset of the arithmetic unit 2, the AND circuit 5 plays the same role as the logical product circuit 4 regarding the reset of the arithmetic unit 1.
Therefore, the reset of the calculation unit 2 has the same effect as the effect (1a) described in the first embodiment. That is, even if the calculation unit 2 is normal but the calculation unit 1 outputs the reset request signal R12 to the calculation unit 2, if the notification signal Y is not output, the calculation unit 3 does not output the reset request signal R32 to the calculation unit 2. Therefore, an erroneous reset of the calculation unit 2 is avoided.

The logical product circuit 4 corresponds to the first logical product unit, and the logical product circuit 5 corresponds to the second logical product unit. The notification signal X corresponds to the first notification signal, and the notification signal Y corresponds to the second notification signal.
[5. Fifth Embodiment]
[5-1. Differences from the fourth embodiment]
Since the basic configuration of the fifth embodiment is the same as that of the fourth embodiment, the differences from the fourth embodiment will be described below. It should be noted that the same reference numerals as those in the fourth embodiment indicate the same configuration, and the preceding description will be referred to.

The in-vehicle control device 11 of the fifth embodiment shown in FIG. 13 differs from the fourth embodiment in the following points <5-1a> and <5-1b>.
<5-1a> The arithmetic unit 3 further includes a monitoring function for the arithmetic unit 1. However, the monitoring function for the calculation unit 1 included in the calculation unit 3 is different from the monitoring function for the calculation unit 1 provided in the calculation unit 2, and is a function for monitoring the monitoring operation for the calculation unit 2 of the calculation unit 1. That is, the monitoring of the calculation unit 1 by the calculation unit 3 may be performed by a simpler method than the monitoring of the calculation unit 1 by the calculation unit 2 as long as the monitoring of the calculation unit 2 by the calculation unit 1 can be monitored. Therefore, the arithmetic unit 3 is, for example, by a method similar to the monitoring performed by the arithmetic unit 3 of the second embodiment on the arithmetic unit 2, that is, by monitoring the output interval of the watchdog pulse, the change state of the counter value, and the like. , Monitor the operation of the arithmetic unit 1.

<5-1b> The arithmetic unit 3 performs the signal output processing of FIG. 14 instead of the signal output processing of FIG. In the signal output process of FIG. 14, as compared with the signal output process of FIG. 12, the processes of S500 and S515 are performed instead of S510. The signal output process of FIG. 14 is the same process as the signal output process of FIG.

As shown in FIG. 14, when the signal output process is started, the arithmetic unit 3 determines whether or not the abnormality of the arithmetic unit 1 is detected by the monitoring function for the arithmetic unit 1 in S500, and the abnormality of the arithmetic unit 1 is determined. Is detected, the reset request signal R32 to the AND circuit 5 is turned off in S520. After that, the calculation unit 3 ends the signal output process.

Further, when the calculation unit 3 determines that the abnormality of the calculation unit 1 has not been detected in the above S500, the notification signal Y from the calculation unit 1 is continuously turned on for a certain period of time or longer in S515. Judge whether or not. That is, the calculation unit 3 determines whether or not the time during which the notification signal X from the calculation unit 1 has been continuously input has exceeded a certain period of time. This fixed time is set to be longer than the design time required for the calculation unit 3 to detect the abnormality of the calculation unit 1.

When the calculation unit 3 determines in S515 that the notification signal Y has not been turned on for a certain period of time or longer, the calculation unit 3 proceeds to S520 and turns off the reset request signal R32. If the calculation unit 3 determines in S515 that the notification signal Y has been turned on for a certain period of time or longer, the calculation unit 3 determines that the normal calculation unit 1 has turned on the notification signal Y, and proceeds to S530. .. Then, the arithmetic unit 3 turns on the reset request signal R32 in S530, and then ends the signal output process.

As described above, the arithmetic unit 3 sets the reset request signal R32 to the AND circuit 5 on condition that the notification signal Y from the arithmetic unit 1 is input only when the abnormality of the arithmetic unit 1 is not detected. It is designed to output to.

[5-2. effect]
In the fifth embodiment, regarding the reset of the calculation unit 2, the calculation unit 3 plays the same role as the calculation unit 3 of the second embodiment regarding the reset of the calculation unit 1.

Therefore, the reset of the calculation unit 2 has the same effect as the effect (2a) described in the second embodiment. That is, even if the arithmetic unit 1 becomes abnormal and both the reset request signal R12 and the notification signal Y are output, the arithmetic unit 3 does not output the reset request signal R32, and the erroneous reset of the arithmetic unit 2 is avoided. Further, by making the determination of S515 in FIG. 14, the certainty of avoiding an erroneous reset is increased. Then, as described above, the monitoring of the calculation unit 1 by the calculation unit 3 may be a simpler method than the monitoring of the calculation unit 1 by the calculation unit 2.

[6. 6th Embodiment]
[6-1. Differences from the second embodiment]
Since the basic configuration of the sixth embodiment is the same as that of the second embodiment, the differences from the second embodiment will be described below. It should be noted that the same reference numerals as those of the second embodiment indicate the same configuration, and the preceding description will be referred to.

The in-vehicle control device 11 of the sixth embodiment shown in FIG. 15 is different from the second embodiment in the following points <6-1a> to <6-1c>.
<6-1a> The calculation unit 2 does not output the notification signal X to the calculation unit 3.

Therefore, the arithmetic unit 2 performs the signal output processing of FIG. 16 instead of the signal output processing of FIG. In the signal output process of FIG. 16, as compared with the signal output process of FIG. 2, the processes of S130 and S150 related to the output of the notification signal X are deleted.

<6-1b> As shown in FIG. 15, the reset request signal R21 output from the calculation unit 2 is also input to the calculation unit 3.
<6-1c> The arithmetic unit 3 performs the signal output processing of FIG. 17 instead of the signal output processing of FIG. In the signal output process of FIG. 17, as compared with the signal output process of FIG. 5, the process of S217 is performed instead of S215.

As shown in FIG. 17, when the calculation unit 3 determines that the abnormality of the calculation unit 2 has not been detected in S200, the calculation unit 3 proceeds to S217. Then, in S217, the calculation unit 3 determines whether or not the reset request signal R21 from the calculation unit 2 has been turned on for a certain period of time or longer. That is, the calculation unit 3 determines whether or not the time during which the reset request signal R21 from the calculation unit 2 has been continuously input has exceeded a certain period of time. This fixed time is also set to be longer than the design time required for the arithmetic unit 3 to detect the abnormality of the arithmetic unit 2.

When the calculation unit 3 determines in S217 that the reset request signal R21 has not been turned on for a certain period of time or longer, the calculation unit 3 proceeds to S220 and proceeds to S220, as in the case of determining YES in S200, and the reset request signal R31. Is turned off. Further, when the calculation unit 3 determines in S217 that the reset request signal R21 has been turned on for a certain period of time or longer, the calculation unit 3 determines that the normal calculation unit 2 has turned on the reset request signal R21, and determines that the reset request signal R21 has been turned on in S230. And turns on the reset request signal R31.

[6-2. effect]
By the signal output processing of FIG. 17, the calculation unit 3 only when the abnormality of the calculation unit 2 is not detected, on condition that the reset request signal R21 from the calculation unit 2 is input, the reset request signal R31 Is output to the AND circuit 4.

Therefore, the same effect as the effect (2a) described in the second embodiment is obtained. That is, even if the calculation unit 2 becomes abnormal and the reset request signal R21 is output, the calculation unit 3 does not output the reset request signal R31, and the erroneous reset of the calculation unit 1 is avoided. Further, by making the determination of S217 in FIG. 17, the certainty of avoiding an erroneous reset is increased. Further, since the notification signal X is not required, the configuration can be simple.

[7. Seventh Embodiment]
[7-1. Differences from the sixth embodiment]
Since the basic configuration of the seventh embodiment is the same as that of the sixth embodiment, the differences from the sixth embodiment will be described below. It should be noted that the same reference numerals as those in the sixth embodiment indicate the same configuration, and the preceding description will be referred to.

In the vehicle-mounted control device 11 of the seventh embodiment shown in FIG. 18, as compared with the sixth embodiment, the calculation unit 1 has a monitoring function for the calculation unit 2 as in the third embodiment.
Further, the calculation unit 1 performs the mode switching process of FIG. 9 at predetermined time intervals, for example, as in the third embodiment.

[7-2. effect]
According to the in-vehicle control device 11 of the seventh embodiment as described above, the same effect as that described for the third embodiment is obtained. Further, since the notification signal X is not required, the configuration can be simple.

[8. Eighth Embodiment]
[8-1. Differences from the 7th embodiment]
Since the basic configuration of the eighth embodiment is the same as that of the seventh embodiment, the differences from the seventh embodiment will be described below. It should be noted that the same reference numerals as those in the seventh embodiment indicate the same configuration, and the preceding description will be referred to.

The in-vehicle control device 11 of the eighth embodiment shown in FIG. 19 is different from the seventh embodiment in the following points <8-1a> to <8-1e>.
<8-1a> Further provided with the AND circuit 5 as in the fourth and fifth embodiments. Similar to the fourth and fifth embodiments, the reset request signal R12 for the arithmetic unit 2 is output from the arithmetic unit 1 to the first input terminal of the logical product circuit 5, and the arithmetic unit 3 outputs the second input terminal of the logical product circuit 5. A reset request signal R32 for the arithmetic unit 2 is output to the input terminal. The output signal of the AND circuit 5 is the reset input signal RST2 of the arithmetic unit 2.

<8-1b> The calculation unit 1 performs the signal output processing of FIG. 20 with respect to the reset of the calculation unit 2, for example, at predetermined time intervals. The signal output process of FIG. 20 is the same process as the signal output process of FIG. In other words, the signal output process of FIG. 20 is a process in which S430 and S450 related to the output of the notification signal Y are deleted from the signal output process of FIG. 11 performed by the calculation unit 1 of the fourth and fifth embodiments. ..

As shown in FIG. 20, when the signal output process is started, the arithmetic unit 1 determines whether or not an abnormality in the arithmetic unit 2 is detected by the monitoring function for the arithmetic unit 2 in S410. If the arithmetic unit 1 has not detected an abnormality in the arithmetic unit 2, the reset request signal R12 is turned off in S420, and then the signal output process is terminated. Further, when the calculation unit 1 determines that the abnormality of the calculation unit 2 is detected in the above S410, the calculation unit 1 turns on the reset request signal R12 in the S440, and then ends the signal output process. That is, when the arithmetic unit 1 detects an abnormality in the arithmetic unit 2, it turns on the reset request signal R12.

<8-1c> As shown in FIG. 19, the reset request signal R12 output from the calculation unit 1 is also input to the calculation unit 3.
<8-1d> The calculation unit 3 further includes a monitoring function for the calculation unit 1 as in the fifth embodiment.

<8-1e> The calculation unit 3 performs the signal output processing of FIG. 21 with respect to the reset of the calculation unit 2, for example, at predetermined time intervals. The signal output process of FIG. 21 is the same process as the signal output process of FIG. In other words, in the signal output process of FIG. 21, the process of S517 is performed instead of S515 as compared with the signal output process of FIG. 14 performed by the calculation unit 3 of the fifth embodiment.

As shown in FIG. 21, when the signal output process is started, the arithmetic unit 3 determines whether or not the abnormality of the arithmetic unit 1 is detected by the monitoring function for the arithmetic unit 1 in S500, and the abnormality of the arithmetic unit 1 is determined. Is detected, the reset request signal R32 is turned off in S520. After that, the calculation unit 3 ends the signal output process.

Further, when the calculation unit 3 determines that the abnormality of the calculation unit 1 has not been detected in the above S500, the reset request signal R12 from the calculation unit 1 continues to be turned on for a certain period of time or longer in S517. Determine if it is. That is, the calculation unit 3 determines whether or not the time during which the reset request signal R12 from the calculation unit 1 has been continuously input has exceeded a certain period of time. Similar to the fifth embodiment, this fixed time is set to be longer than the design time required for the arithmetic unit 3 to detect the abnormality of the arithmetic unit 1.

When the calculation unit 3 determines in S517 that the reset request signal R12 has not been turned on for a certain period of time or longer, the calculation unit 3 proceeds to S520 and turns off the reset request signal R32. Further, when the calculation unit 3 determines in S517 that the reset request signal R12 has been turned on for a certain period of time or longer, the calculation unit 3 determines that the normal calculation unit 1 has turned on the reset request signal R12, and determines that the reset request signal R12 has been turned on in S530. Proceed to. Then, the arithmetic unit 3 turns on the reset request signal R32 in S530, and then ends the signal output process.

As described above, the arithmetic unit 3 is ANDed with the reset request signal R32 on condition that the reset request signal R12 is input from the arithmetic unit 1 only when the abnormality of the arithmetic unit 1 is not detected. It is designed to output to 5.

[8-2. effect]
In the eighth embodiment, when the calculation unit 1 detects an abnormality in the calculation unit 2, the calculation unit 2 is reset. Therefore, when the arithmetic unit 2 becomes abnormal, the abnormal output of the arithmetic unit 2 is blocked by the reset, and the arithmetic unit 1 performs the above-mentioned fail-safe measure.

Then, regarding the reset of the calculation unit 2, the calculation unit 1 plays the same role as the calculation unit 2 of the sixth embodiment regarding the reset of the calculation unit 1.
Further, regarding the reset of the calculation unit 2, the calculation unit 3 plays the same role as the calculation unit 3 of the sixth embodiment regarding the reset of the calculation unit 1.

Further, regarding the reset of the arithmetic unit 2, the AND circuit 5 plays the same role as the logical product circuit 4 regarding the reset of the arithmetic unit 1.
Therefore, the reset of the calculation unit 2 has the same effect as that described in the sixth embodiment. That is, even if the calculation unit 1 becomes abnormal and the reset request signal R12 is output, the calculation unit 3 does not output the reset request signal R32, and the erroneous reset of the calculation unit 2 is avoided. Further, by making the determination of S517 in FIG. 21, the certainty of avoiding an erroneous reset is increased. Further, since the notification signals X and Y are not required, the configuration can be simple.

The logical product circuit 4 corresponds to the first logical product unit, and the logical product circuit 5 corresponds to the second logical product unit.
[9. Other embodiments]
Although the embodiments of the present disclosure have been described above, the present disclosure is not limited to the above-described embodiments, and can be variously modified and implemented.

For example, the method for realizing each function of the arithmetic units 1 to 3 is not limited to software, and some or all of the functions may be realized by using one or a plurality of hardware. For example, when the above function is realized by an electronic circuit which is hardware, the electronic circuit may be realized by a digital circuit, an analog circuit, or a combination thereof.

Further, a plurality of functions possessed by one component in the above embodiment may be realized by a plurality of components, or one function possessed by one component may be realized by a plurality of components. Further, a plurality of functions possessed by the plurality of components may be realized by one component, or one function realized by the plurality of components may be realized by one component. Further, a part of the configuration of the above embodiment may be omitted. Further, at least a part of the configuration of the above embodiment may be added or replaced with the configuration of the other above embodiment. It should be noted that all aspects included in the technical idea specified from the wording described in the claims are embodiments of the present disclosure.

Further, in addition to the above-mentioned in-vehicle control device 11, a system having the in-vehicle control device 11 as a component, a program for operating a computer as each of the calculation units 1 to 3 in the in-vehicle control device 11, and this program are recorded. The present disclosure can also be realized in various forms such as a non-transitional actual recording medium such as a semiconductor memory and a reset method.

1 to 3 ... Arithmetic unit, 4, 5 ... AND circuit, 11 ... In-vehicle control device

Claims (12)

The first arithmetic unit (1) configured to control the controlled object in the vehicle, and
The second arithmetic unit (2) configured to monitor the control operation of the first arithmetic unit, and
The third arithmetic unit (3) and
When the reset request signal (R21) for the first calculation unit is output from the second calculation unit, and the reset request signal (R31) for the first calculation unit is output from the third calculation unit, the said. A logical product unit (4) configured to reset the first arithmetic unit is provided.
When the second calculation unit detects an abnormality in the first calculation unit, the second calculation unit outputs a reset request signal to the first calculation unit to the logical product unit, and the second calculation unit causes the first calculation unit to perform the first calculation unit. A notification signal (X) indicating that a reset request signal has been output is output to the third calculation unit.
The third calculation unit is configured to output a reset request signal to the first calculation unit to the AND unit when the notification signal from the second calculation unit is input.
In-vehicle control device. The in-vehicle control device according to claim 1.
The third calculation unit is configured to monitor the operation of the second calculation unit, and the notification signal from the second calculation unit is limited to the case where an abnormality in the second calculation unit is not detected. Is configured to output a reset request signal to the first arithmetic unit to the AND unit on condition that is input.
In-vehicle control device. The in-vehicle control device according to claim 2.
The third calculation unit does not detect an abnormality in the second calculation unit, and the time during which the notification signal from the second calculation unit continues to be input detects an abnormality in the second calculation unit. It is configured to output a reset request signal to the first arithmetic unit to the AND unit when it is determined that the time required for the operation is longer than a certain time.
In-vehicle control device. The vehicle-mounted control device according to any one of claims 1 to 3.
The first calculation unit is configured to monitor the operation of the second calculation unit, and when an abnormality in the second calculation unit is detected, control for putting the vehicle in a safe state is performed. It is configured to switch to the mode to be executed,
In-vehicle control device. The in-vehicle control device according to claim 4.
The logical product unit is the first logical product unit (4).
The notification signal is the first notification signal (X), and is
The reset request signal (R12) for the second calculation unit is output from the first calculation unit, and the reset request signal (R32) for the second calculation unit is output from the third calculation unit. Further, a second logical product unit (5) configured to reset the second arithmetic unit is provided.
When the first calculation unit detects an abnormality in the second calculation unit, the first calculation unit outputs a reset request signal to the second calculation unit to the second logical product unit, and the first calculation unit performs the second calculation unit. The second notification signal (Y) indicating that the reset request signal for the arithmetic unit has been output is configured to be output to the third arithmetic unit.
The third arithmetic unit is configured to output a reset request signal to the second arithmetic unit to the second logical product unit when the second notification signal from the first arithmetic unit is input. Yes,
In-vehicle control device. The in-vehicle control device according to claim 5.
The third calculation unit is configured to monitor the monitoring operation of the first calculation unit with respect to the second calculation unit, and the first calculation unit is limited to the case where an abnormality in the first calculation unit is not detected. The reset request signal for the second arithmetic unit is output to the second AND unit on condition that the second notification signal from the arithmetic unit is input.
In-vehicle control device. The vehicle-mounted control device according to claim 6.
The third calculation unit does not detect an abnormality in the first calculation unit, and the time during which the second notification signal from the first calculation unit continues to be input is an abnormality in the first calculation unit. Is configured to output a reset request signal for the second arithmetic unit to the second AND unit when it is determined that the time required for detecting the above is longer than a certain time.
In-vehicle control device. The first arithmetic unit (1) configured to control the controlled object in the vehicle, and
The second arithmetic unit (2) configured to monitor the control operation of the first arithmetic unit, and
The third arithmetic unit (3) and
When the reset request signal (R21) for the first calculation unit is output from the second calculation unit, and the reset request signal (R31) for the first calculation unit is output from the third calculation unit, the said. A logical product unit (4) configured to reset the first arithmetic unit is provided.
The second calculation unit is configured to output a reset request signal to the first calculation unit to the AND unit when an abnormality in the first calculation unit is detected.
The reset request signal output from the second calculation unit is configured to be input to the third calculation unit as well.
The third calculation unit is configured to monitor the operation of the second calculation unit, and the reset request from the second calculation unit is limited to the case where an abnormality in the second calculation unit is not detected. It is configured to output a reset request signal to the first arithmetic unit to the AND unit on condition that a signal is input.
In-vehicle control device. The vehicle-mounted control device according to claim 8.
The third calculation unit does not detect the abnormality of the second calculation unit, and the time during which the reset request signal from the second calculation unit continues to be input causes the abnormality of the second calculation unit. It is configured to output a reset request signal to the first arithmetic unit to the AND unit when it is determined that the time required for detection is longer than a certain time.
In-vehicle control device. The vehicle-mounted control device according to claim 8 or 9.
The first calculation unit is configured to monitor the operation of the second calculation unit, and when an abnormality in the second calculation unit is detected, control for putting the vehicle in a safe state is performed. It is configured to switch to the mode to be executed,
In-vehicle control device. The vehicle-mounted control device according to claim 10.
The logical product unit is the first logical product unit (4) .
When the reset request signal (R12) for the second calculation unit is output from the first calculation unit, and the reset request signal (R32) for the second calculation unit is output from the third calculation unit. Further, a second logical product unit (5) configured to reset the second arithmetic unit is provided.
The first arithmetic unit is configured to output a reset request signal to the second arithmetic unit to the second logical product unit when an abnormality in the second arithmetic unit is detected.
The reset request signal output from the first calculation unit is configured to be input to the third calculation unit as well.
The third calculation unit is configured to monitor the monitoring operation of the first calculation unit with respect to the second calculation unit, and the first calculation unit is limited to the case where an abnormality in the first calculation unit is not detected. It is configured to output the reset request signal for the second arithmetic unit to the second logical product unit on condition that the reset request signal from the arithmetic unit is input.
In-vehicle control device. The vehicle-mounted control device according to claim 11.
The third calculation unit does not detect the abnormality of the first calculation unit, and the time during which the reset request signal from the first calculation unit continues to be input causes the abnormality of the first calculation unit. It is configured to output a reset request signal for the second arithmetic unit to the second AND unit when it is determined that the time required for detection is longer than a certain time.
In-vehicle control device.

Images