JP7163576B2 - Vehicle control system and vehicle control device - Google Patents

Description

The present disclosure relates to a vehicle control system and a vehicle control device that are mounted on a vehicle and configured such that each of a plurality of calculation units can recognize the presence or absence of a failure in another calculation unit.

Patent Document 1 below describes a vehicle control system having a plurality of computing units, which includes an active computing unit that operates normally and a standby computing unit that normally does not operate and waits, and the active computing unit A technique is disclosed in which, when a system fails, a standby computing unit substitutes for a working computing unit to continue control.

JP 2016-060413 A

By the way, stopping a vehicle in the event of a system failure may cause a serious accident due to a rear-end collision with a following vehicle on a highway, or may endanger human life in extreme environments such as extreme cold, high temperatures, and dryness. Yes, not necessarily safe. In addition, from the user's point of view, there is also a need to move the vehicle to an automobile inspection and maintenance facility such as a car dealer by itself. Therefore, there is a demand for an electric/electronic control system that can safely continue the driving function of the automobile even if the faulty part is isolated or the driving performance is degraded.
However, as a result of a detailed study by the inventor, in the technique of Patent Document 1, when a so-called double failure occurs in which a failure occurs in a standby system operation unit while an active operation operation unit fails, There is a possibility that an unintended signal may be output from each calculation unit, and a problem has been found that the vehicle cannot be safely controlled in this case.

One aspect of the present disclosure is a vehicle control system and a vehicle control device that are mounted on a vehicle and configured such that each of three or more computing units can recognize the presence or absence of a failure from two or more other computing units. To provide a technique for safely controlling a vehicle while continuing control as much as possible when a failure occurs in an arithmetic unit of a vehicle.

A vehicle control system according to one aspect of the present disclosure includes a failure recognition unit (S210, S302, S402, S502, S1302), a control output unit (S214, S224, S234, S313, S323, S413, S423, S513, S523, S91 , S125, S1313, S1323, S1333). The fault recognizing unit is configured to recognize that other calculating units other than the relevant calculating unit are out of order.

In the control output unit, the failed operation unit is defined as the failure unit, the normal operation unit is determined as the non-failed operation unit, and the operation units of the number equal to or greater than the predetermined number set to 2 or more among the other operation units are determined as the failure unit. In this case, an output indicating that a preset fail-safe process is to be performed is performed, and if less than the specified number of calculation units among the other calculation units are faulty parts, the normal part is different from the fail-safe process Vehicle It is configured to perform an output to the effect that the running control of is carried out.

According to such a configuration, when less than the specified number of operation units out of the three or more operation units are malfunctioning units, the normal unit is caused to control the running of the vehicle, and the specified number or more of the operation units are caused to malfunction. Fail-safe processing can be implemented if it is a part. Therefore, the vehicle can be controlled more safely while the control can be continued as much as possible.

It should be noted that the symbols in parentheses described in this column and the scope of claims indicate the correspondence with specific means described in the embodiment described later as one aspect, and the technical scope of the present disclosure is It is not limited.

1 is a block diagram showing the configuration of a vehicle control system according to a first embodiment; FIG. 9 is a flowchart (part 1) of monitoring processing according to the first embodiment; 9 is a flowchart (part 2) of monitoring processing according to the first embodiment; 9 is a flowchart (part 3) of monitoring processing according to the first embodiment; 4 is a flowchart (part 4) of monitoring processing according to the first embodiment; 4 is a timing chart showing an example of states of signals output from a computing unit; FIG. 9 is an explanatory diagram showing the operation of the vehicle control system of the second embodiment; 9 is a flowchart of monitoring processing according to the second embodiment; It is a block diagram which shows the structure of the vehicle control system of 3rd Embodiment. It is a flow chart of monitoring processing of a 3rd embodiment. It is a block diagram which shows the structure of the vehicle control system of 4th Embodiment. FIG. 11 is a flowchart (part 1) of monitoring processing according to the fourth embodiment; FIG. FIG. 16 is a flowchart (part 2) of monitoring processing according to the fourth embodiment; FIG.

Hereinafter, embodiments of the present disclosure will be described with reference to the drawings.
[1. First Embodiment]
[1-1. Constitution]
The vehicle control system 1A shown in FIG. 1 includes a calculation section A100, a calculation section B200, and a calculation section C300. The vehicle control system 1A is configured so that each of the three or more calculation units can monitor the presence or absence of a failure from the other two or more calculation units.

Here, the phrase "presence or absence of a failure can be monitored from two or more other computing units" means a configuration in which a certain computing unit is monitored by two or more computing units as in the first embodiment, and a second computing unit to be described later. As in the embodiment, it means that a certain computing unit is monitored by one computing unit at one time and monitored by a different one computing unit at other times. Further, the calculation units A100, B200, and C300 may be mounted in different electronic control units, or may be mounted in one electronic control unit.

The vehicle control system 1A may also include an OR gate 11, AND gates 12, 13 and 14, and latch circuits 15, 16 and 17.
The arithmetic units A100, B200, and C300 are respectively provided with microcomputers having CPUs 101, 201, and 301 and semiconductor memories such as RAMs or ROMs (hereinafter referred to as memories 102, 202, and 302). Each function of the arithmetic units A100, B200, and C300 is realized by the CPUs 101, 201, and 301 executing programs stored in non-transitional substantive recording media. In this example, memories 102, 202, and 302 correspond to non-transitional substantive recording media storing programs. Also, by executing this program, a method corresponding to the program is executed.

Note that the non-transitional substantive recording medium means a recording medium excluding electromagnetic waves. Moreover, the arithmetic units A100, B200, and C300 may be provided with one microcomputer, or may be provided with a plurality of microcomputers.

Further, the memories 102, 202, 302 do not need to be provided in the respective arithmetic units A100, B200, C300, and the arithmetic units A100, B200, C300 use memories arranged outside the arithmetic units A100, B200, C300. It may be configured to be shared.

The calculation units A100, B200, and C300 have a vehicle control function. Vehicle control refers to controlling any device that the vehicle has, and includes, for example, engine control, braking control, air conditioner control, and the like. In particular, it now includes a monitoring function. The monitoring function is a function of the arithmetic units A100, B200, and C300 to monitor whether other arithmetic units are operating normally. For example, it is possible to configure a unit in which the arithmetic unit A100 performs driving force control, a unit in which the arithmetic unit B200 performs battery control, and a unit in which the arithmetic unit C300 only monitors the arithmetic units A100 and B200.

In the monitoring function, the computing units A100, B200, and C300 monitor each other. As a result, when any one calculation unit fails, the remaining two calculation units can detect the failure. Also, even after any one of the calculation units fails, the remaining two calculation units can continue to monitor each other.

It should be noted that the monitoring here means any means as long as it is a method capable of detecting a failure of the computing unit. For example, by making the monitored side perform basic calculations and outputting the results to the monitoring side, a method of checking the arithmetic unit, or a method where the monitored side monitors communication data such as watchdog pulses and counters that operate at regular intervals. There is a method of outputting to the side and checking the CPU flow.

Alternatively, at the application level, data obtained by control such as calculation results of vehicle control software may be monitored by another calculation unit. In a mutual monitoring configuration, when an abnormal signal or communication data is output to one device, the other device checks whether the abnormality is correctly determined, that is, whether the monitoring function is operating. etc. can also be considered.

The method of realizing the functions of the units included in the arithmetic units A100, B200, and C300 is not limited to software, and some or all of the functions may be realized using one or more pieces of hardware. For example, when the above functions are realized by an electronic circuit that is hardware, the electronic circuit may be realized by a digital circuit, an analog circuit, or a combination thereof.

Here, the OR gate 11 is a known electronic circuit that outputs a logical sum. AND gates 12, 13 and 14 are well-known electronic circuits that output a logical product. OR gate 11 outputs a fail-safe signal upon receiving any one of FSx output from arithmetic units A100, B200, and C300.

Latch circuits 15, 16, and 17 are well-known circuits having a function of continuing to output ON once ON is input until receiving a reset signal for the latch circuit. Latch circuits 15, 16 and 17 are arranged on the output sides of AND gates 12, 13 and 14, respectively.

[1-2. signal]
Signals output from the arithmetic units A100, B200, and C300 will be described below. Each arithmetic unit A100, B200, C300 is provided with a monitor output terminal unit, and Wxy is output from this monitor output terminal unit. Wxy is a signal representing a monitoring result, x is a number representing a signal output source arithmetic unit, and y is a number representing a signal output destination arithmetic unit. In this embodiment, the calculation unit A100 corresponds to x=1 and y=1, the calculation unit B200 corresponds to x=2 and y=2, and the calculation unit C300 corresponds to x=3 and y=3.

That is, W12 is the monitoring result of the computing unit B200 determined by the computing unit A100, and W13 is the monitoring result of the computing unit C300 determined by the computing unit A100. W21 is the monitoring result of the computing unit A100 determined by the computing unit B200, and W23 is the monitoring result of the computing unit C300 determined by the computing unit B200. W31 is the monitoring result of the computing unit A100 determined by the computing unit C300, and W32 is the monitoring result of the computing unit B200 determined by the computing unit C300.

Each of the computing units A100, B200, and C300 turns off Wxy before detecting an abnormality in the monitored computing unit, and turns on Wxy when detecting an abnormality in the monitored computing unit.
Further, each of the arithmetic units A100, B200, and C300 has an input terminal unit to which RSTx is input. x is a number representing a computing unit having an input terminal. RSTx is an external reset signal that is input to each calculation unit. When RSTx is turned ON, the calculation unit is reset, and all operations and outputs of the calculation unit are stopped.

In other words, RSTx functions as a stop command for stopping the functions of the computing unit. In this embodiment, since the latch circuits 15, 16, and 17 keep RSTx ON, each of the arithmetic units A100, B200, and C300 continues to be reset due to the continuation of the ON input of RSTx, and the output of the signal stops. do.

RST1 is the reset input of the arithmetic section A100, RST2 is the reset input of the arithmetic section B200, and RST3 is the reset input of the arithmetic section C300. As will be described later, the malfunctioning computation unit enters a reset state when ON is input to the input terminal unit from another computation unit. Here, in the following description, a malfunctioning computing unit is also referred to as a "faulty unit", and a non-faulty computing unit is also referred to as a "normal unit".

The expected effect of this proposal is that the malfunctioning calculation unit does not output an abnormal signal to the outside when this signal is turned ON. A configuration that employs a signal that continues to have an effect or an effect of disabling all output ports may be employed.

Next, each of the arithmetic units A100, B200, and C300 is provided with a fail-safe output terminal section, and FSx is output from this fail-safe output terminal section. x is a number representing a signal output source calculation unit.

FS1 is the fail-safe output from the arithmetic unit A100, FS2 is the fail-safe output from the arithmetic unit, and FS3 is the fail-safe output from the arithmetic unit C300. FS is output by the OR gate 11 as the logical sum of FS1, FS2 and FS3.

FS is a fail-safe signal that represents the fail-safe output output from the entire system proposed in this proposal. to control. For example, in a hybrid vehicle or an electric vehicle, it is connected to a driving device of an electric motor that generates the driving force of the vehicle, and the driving device forcibly cuts off the driving force at the time of ON output.

Each of the arithmetic units A100, B200, and C300 turns on the fail-safe signal FSx when a double failure of the arithmetic unit is detected, or when a fatal abnormality is detected that makes it unsafe to continue the running function. Output. However, in view of the problem of the present invention, it is preferable that the fail-safe signal FSx is turned OFF when the operation unit has only a single failure and the running function can be continued.

The OR gate 11 is required to safely stop the vehicle when any of the computing units detects a double failure or fatal abnormality. It should be noted that the arithmetic units A100, B200, and C300 are set so that FSx is turned off when reset by RSTx after a failure occurs.

However, if the FSx output becomes high impedance in a state where each of the arithmetic units A100, B200, and C300 are reset, the FSx output should be turned off by an external pull-up or pull-down. This configuration is intended to allow the remaining operation units to continue running in the event of a single failure, and to turn on the FS only when a double failure or fatal abnormality is detected.

Here, RST1 is the output result of the AND gate 12 with W21 and W31 as inputs, RST2 is the output result of the AND gate 13 with W12 and W32 as inputs, and RST3 is the AND gate with W13 and W23 as inputs. 14 output results. With this configuration, for example, when the arithmetic unit A100 fails, the arithmetic units B200 and C300 detect the failure of the arithmetic unit A100, and W21=ON and W31=ON, so the arithmetic unit A100 is reset. It is possible to stop the output of the malfunctioning arithmetic unit A100.

If the AND gates 12 to 14 are OR gates instead of AND gates, for example, in the event of a single failure of the arithmetic unit A100, W12 will be an abnormal output, and the output will be unknown. . For example, if W12 is turned ON, there is a risk that the calculation unit B200 will be reset at an unintended timing.

For this reason, in this proposal, in order not to affect the reset input side calculation section due to a single failure of the monitoring result output side calculation section, and to ensure that only the faulty calculation section is reset. , AND gates.

It should be noted that each of the calculation units A100, B200, and C300 is set so that Wxy is turned off when it is reset by RSTx. However, when the output of Wxy becomes high impedance in a state where each arithmetic unit A100, B200, C300 is reset, Wxy is set to be an OFF output by an external pull-up or pull-down.

This configuration is to prevent the third operating unit from being unintentionally reset when the second operating unit breaks down while driving continues after one of the operating units fails. be. When Wxy turns ON instead of OFF in the reset state, for example, when the calculation unit A100 is out of order, that is, when W13=ON and a failure occurs in the calculation unit B200, W23 is turned ON due to an abnormal output. , the operating unit C300, which is operating normally, is reset. By setting Wxy=OFF in the reset state, even when a double failure occurs, the third operating unit in normal operation is not unintentionally reset.

When the RSTx signal turns from OFF to ON, the latch circuits 15-17 transition from the OFF state to the ON state, and thereafter maintain the ON state regardless of the output states of the AND gates 12-14. With this configuration, even if the second computing unit fails while running is continued after the failure of one computing unit, the reset state of the first malfunctioning unit continues and the output stop state continues. .

If the latch circuit is not provided, for example, if the arithmetic unit B200 fails while the arithmetic unit A100 is out of order, W21 is turned off due to an abnormal output, and the malfunctioning arithmetic unit A100 There is a risk of unintended return from the reset state. Furthermore, at this time, if W13 and W23, which are outputs from the failure unit, are turned ON due to an abnormal output, there is a risk that the operating unit C300 that is operating normally may be reset unintentionally.

For this reason, in this proposal, once the operation unit is reset, the reset state is maintained after that, so that the operation unit reset when the double failure occurs can be prevented from unintentionally returning as described above. are removing. In the latch circuits 15 to 17, the latch state is cleared, that is, the reset is released, for example, when all three calculation units are normal. Latch circuits 15 to 17 transition from the ON state to the OFF state upon receiving a predetermined reset signal.

[1-2. process]
Next, the monitoring process executed by each calculation unit A100, B200, C300 will be described with reference to the flow charts of FIG. 2 and subsequent figures. In the monitoring process, the monitoring function described above is implemented as a process. Also, the monitoring process is started, for example, when the power of the vehicle is turned on.

In the monitoring process, first, in S210, the computing units A100, B200, and C300 determine whether or not a failure has occurred in another computing unit. The calculation units A100, B200, and C300 repeat S210 when no failure occurs in other calculation units.

Further, when the calculation units B200 and C300 determine that the calculation unit A100 has failed, the process proceeds to S212. Further, when the calculation units A100 and C300 determine that the calculation unit B200 has failed, the process proceeds to S222. Further, when the arithmetic units A100 and B200 determine that the arithmetic unit C300 has failed, the process proceeds to S232.

In S212, the arithmetic unit B200 and the arithmetic unit C300 that monitor the arithmetic unit A100 detect an abnormality in the arithmetic unit A100. In this case, calculation unit B200 turns on W21, and calculation unit C300 turns on W31. As a result, as indicated by S213, RST1 is turned ON, and the operation and output of the arithmetic unit A100 are stopped. That is, all abnormal signals to the outside from the malfunctioning arithmetic unit A100 are cut.

Subsequently, in S214, the calculation units B200 and C300 continue the vehicle running control different from the fail-safe process, for example, the control in the normal control state representing the control state when the calculation unit A100 is not malfunctioning. At least one of the units B200 and C300 starts vehicle control function substitution to substitute the vehicle control executed by the arithmetic unit A100. As a result, it is possible to continue running while the computation unit B200 and the computation unit C300 continue to monitor each other.

Note that, in the function substitution, all the control performed by the arithmetic unit A100 in the normal control state may be performed as it is, or the functions may be degenerated to perform only the minimum functions required for running. Moreover, the calculation units B200 and C300 may change the control to be executed from the normal control state in response to the failure of the calculation unit A100. In addition, other calculation units may function similarly when the calculation unit B200 or C300 fails, not only when the calculation unit A100 fails.

Next, in S222, a failure has occurred in the arithmetic unit B200, and the arithmetic units A100 and C300 monitoring the arithmetic unit B200 have detected an abnormality in the arithmetic unit B200. In this case, the calculation unit A100 turns on W12, and the calculation unit C300 turns on W32. As a result, as shown in S223, RST2 is turned ON, and operation and output of the calculation unit B200 are stopped. In other words, all abnormal signals to the outside from the malfunctioning arithmetic unit B200 are cut.

Subsequently, in S224, calculation units A100 and C300 continue control in the normal control state, and at least one of calculation units A100 and C300 executes vehicle control instead of calculation unit B200. Start vehicle control function substitution. Note that the normal control state here represents the control state when the calculation unit B200 is not out of order. As a result, it is possible to continue running while the arithmetic units A100 and C300 continue to monitor each other.

Next, in S232, a failure has occurred in the arithmetic unit C300, and the arithmetic units A100 and B200 monitoring the arithmetic unit C300 have detected an abnormality in the arithmetic unit C300. In this case, the calculation unit A100 turns on W13, and the calculation unit B200 turns on W23. As a result, as shown in S233, RST3 is turned ON, and the operation and output of the calculation unit C300 are stopped. That is, all abnormal signals to the outside from the malfunctioning computation unit C300 are cut.

Subsequently, in S234, calculation units A100 and B200 continue control in the normal control state, and at least one of calculation units A100 and B200 executes vehicle control instead of calculation unit C300. Start vehicle control function substitution. Note that the normal control state here represents the control state when the calculation unit C300 is not out of order. As a result, it is possible to continue running while the computation unit A100 and the computation unit B200 continue to monitor each other.

Subsequently, the processing when the arithmetic unit A100 is out of order will be described with reference to the flowchart of FIG. During the failure of the arithmetic unit A100, in S301, the arithmetic units B200 and C300 continue the running control while the arithmetic unit A100 is out of order. judge. That is, it is determined whether or not a second failure, which is a failure of another arithmetic unit, has occurred during the failure of the arithmetic unit A100, which is the first failure.

When the calculation unit C300 recognizes that the calculation unit B200 has failed, the calculation unit C300 performs the processing from S312 onwards. Further, when the calculation unit B200 recognizes that the calculation unit C300 has failed, the calculation unit B200 performs the processing from S322 onwards.

In S312, the calculation unit C300 detects an abnormality in the calculation unit B200, and recognizes the double failure of the calculation units A100 and B200. At this time, W21 becomes indefinite, but RST1 is kept ON by the latch circuit 15, and the operation and output of the arithmetic unit A100 are continued.

Subsequently, in S313, the calculation unit C300 turns on FS3 as fail-safe processing. As a result, as shown in S314, even if the FS is turned ON and the calculation unit B200 outputs an abnormal signal to the outside, the vehicle can safely stop running.

On the other hand, in S322, the arithmetic unit B200 detects an abnormality in the arithmetic unit C300, and the arithmetic unit B200 recognizes a double failure of the arithmetic units A100 and C300. At this time, W31 becomes indefinite, but RST1 is kept ON by the latch circuit 15, and the operation and output of the arithmetic section A100 are continued.

Subsequently, in S323, the calculation unit B200 turns on FS2 as fail-safe processing. As a result, as shown in S324, even if FS is turned ON and the calculation unit C300 outputs an abnormal signal to the outside, the vehicle can safely stop running.

Subsequently, the processing when the calculation unit B200 is out of order will be described with reference to the flowchart of FIG. During the failure of the arithmetic unit B200, in S401, the arithmetic units A100 and C300 continue running control while the arithmetic unit B200 is out of order. judge. That is, it is determined whether or not a second failure, which is a failure of another computing unit, has occurred during the failure of the computing unit B200, which is the first failure.

When the calculation unit C300 recognizes that the calculation unit A100 has failed, the calculation unit C300 performs the processing from S412 onwards. Further, when the arithmetic unit A100 recognizes that the arithmetic unit C300 has failed, the arithmetic unit A100 performs the processing from S422 onwards.

In S412, the arithmetic unit C300 detects an abnormality in the arithmetic unit A100, and the arithmetic unit C300 recognizes a double failure of the arithmetic units B200 and A100. At this time, W12 is undefined, but RST2 is kept ON by the latch circuit 16, and the operation and output of the arithmetic unit B200 are continued.

Subsequently, in S413, the calculation unit C300 turns on FS3 as fail-safe processing. As a result, as shown in S414, even if the FS is turned ON and the arithmetic unit A100 outputs an abnormal signal to the outside, the vehicle can safely stop running.

On the other hand, in S422, the arithmetic unit A100 detects an abnormality in the arithmetic unit C300, and the arithmetic unit A100 recognizes a double failure of the arithmetic units B200 and C300. At this time, W32 becomes indefinite, but RST2 is kept ON by the latch circuit 16, and the operation and output of the arithmetic unit B200 are continued.

Subsequently, in S423, the arithmetic unit A100 turns on FS1 as fail-safe processing. As a result, as shown in S424, even if the FS is turned ON and the calculation unit C300 outputs an abnormal signal to the outside, the vehicle can safely stop running.

Subsequently, the processing when the computing unit C300 is out of order will be described with reference to the flowchart of FIG. During the failure of the computation unit C300, in S501, the computation units A100 and B200 continue the running control during the failure of the computation unit C300. judge. That is, it is determined whether or not a second failure, which is a failure of another computing unit, has occurred during the failure of the computing unit C300, which is the first failure.

When the calculation unit B200 recognizes that the calculation unit A100 has failed, the calculation unit B200 performs the processing from S512 onwards. Further, when the arithmetic unit A100 recognizes that the arithmetic unit B200 has failed, the arithmetic unit A100 performs the processing from S522 onwards.

In S512, the arithmetic unit B200 detects an abnormality in the arithmetic unit A100, and the arithmetic unit B200 recognizes a double failure of the arithmetic units C300 and A100. At this time, W13 becomes undefined, but RST3 is kept ON by the latch circuit 17, and the operation and output of the arithmetic unit C300 continue to be stopped.

Subsequently, in S513, the calculation unit B200 turns on FS2 as fail-safe processing. As a result, as shown in S514, even if the FS is turned ON and the arithmetic unit A100 outputs an abnormal signal to the outside, the vehicle can safely stop running.

On the other hand, in S522, the arithmetic unit A100 detects an abnormality in the arithmetic unit B200, and the arithmetic unit A100 recognizes a double failure of the arithmetic units C300 and B200. At this time, W23 becomes indefinite, but RST3 is kept ON by the latch circuit 17, and the operation and output of the arithmetic unit C300 continue to be stopped.

Subsequently, in S523, the arithmetic unit A100 turns on FS1 as fail-safe processing. As a result, as shown in S524, even if the FS is turned ON and the calculation unit B200 outputs an abnormal signal to the outside, the vehicle can safely stop running.

Next, FIG. 6 is a timing chart showing an example of the state of each signal when the arithmetic unit A100 fails in the normal control state and then the arithmetic unit B200 fails. In the normal control state shown at t61, each signal is OFF.

t62 is the timing at which the arithmetic unit A100 fails. t63 is the timing at which arithmetic units B200 and C300 detect an abnormality in arithmetic unit A100, and the timing at which at least one of arithmetic units B200 and C300 starts replacing the function of arithmetic unit A100.

At t63, W21 and W31 are turned ON, and thereafter the operation unit A100 stops outputting, so the operation unit B200 can continue its operation without being affected by the malfunctioning operation unit A100. Here, between t62 and t63, W12 and W13, which are the output signals of the arithmetic unit A100, are in an undefined state, but the AND gates 13 and 14 keep RST2 and RST3 OFF, and the arithmetic unit B200 and the arithmetic unit Section C300 continues to operate and output.

Since FS1 is also undefined between t62 and t63, the fail-safe signal FS output from the entire system by the OR gate 11 is temporarily undefined. However, even if FS is temporarily turned ON during the period from t62 to t63, the device that implements fail-safe processing will not allow the vehicle to fail-safe if the fail-safe signal FS is canceled at the timing of t63. It is configured to allow recovery from the state.

For example, when an electric motor driver for an electric vehicle is provided as a device that performs fail-safe processing, the electric motor driver only cuts the driving force of the vehicle temporarily between t62 and t63. From timing t63, control is performed with the commanded driving force, as in the normal control state.

t64 is the timing at which the calculation unit B200 fails, and t65 is the timing at which the calculation unit C300 detects an abnormality in the calculation unit B200 and performs fail-safe processing. At t65, FS3 is turned ON, and the vehicle can safely stop running due to the ON output of the fail-safe signal FS.

After t64, W21, which is the output signal of the calculation unit B200, is in an undefined state, but the latch circuit 15 keeps the output of the calculation unit A100 stopped even after t64. After t64, W23 is also in an undefined state, but the AND gate 14 keeps RST3 off and the operation section C300 continues to operate and output.

Further, after t64, FS2 is also in an undefined state, so the fail-safe signal FS output from the entire system by the OR gate 11 is undefined between t64 and t65. However, even if FS2 were to be turned ON during this time, the timing at which FS is turned ON would only be advanced from t65, and the vehicle would be able to stop running safely, so there would be no problem.

With the configuration and operation as described above, even if any one of the three calculation units fails, the remaining two calculation units can continue control and monitoring. In addition, since the remaining two calculation units stop the operation and output of the malfunctioning unit, the running function can be safely continued even in the event of a single malfunction. Furthermore, even if any two of the three calculation units fail, the remaining one calculation unit outputs a fail-safe signal so that the vehicle can be stopped safely against double failures.

[1-3. effect]
The above vehicle control system 1A has the following points.
・By configuring the three control units A100, B200, and C300 to mutually monitor each other, even if any one of them fails, the remaining two calculation units can still be used for control. Monitoring can be continued. In addition, the remaining two calculation units stop the output of the failure unit, so that the running function can be safely continued even in the event of a single failure.

- If any two of the three calculation units fail, the remaining one calculation unit can output a fail-safe signal. In other words, it is possible to safely stop running against a double failure.
・If software that can replace other processing units is installed in advance for each processing unit, there is no need to separately provide a standby processing unit, and this proposal can be realized only with the conventional processing unit. It also reduces development costs.

Specifically, according to the first embodiment described in detail above, it has the following configuration and has the following effects.
(1a) The vehicle control system 1A includes three or more arithmetic units A100, B200, and C300. The arithmetic units A100, B200, and C300 are configured to recognize in S210, S302, S402, and S502 that other arithmetic units other than the relevant arithmetic unit are out of order.

Calculation units A100, B200, and C300 that have failed are assumed to be faulty units, and calculation units A100, B200, and C300 that have not failed are assumed to be normal units. , S423, S513, and S523, if the operating units A100, B200, and C300, which are equal to or larger than the specified number set to 2 or more in advance among the other operating units, are faulty units, a preset fail-safe process is performed. Output to the effect that it will be implemented, and if less than the specified number of arithmetic units A100, B200, and C300 among the other arithmetic units A100, B200, and C300 are faulty units, the normal part is different from the fail-safe process. It is configured to output to the effect that the control is to be executed.

Note that the specified number is set to two in the present embodiment. Therefore, when the number of faulty parts is 1, the arithmetic units A100, B200, and C300 output to the effect that normal control is to be performed as vehicle running control different from the fail-safe process, and the number of faulty parts is is 2, an output indicating that fail-safe processing is to be performed is performed.

According to such a configuration, the vehicle can be controlled more safely while the control can be continued as much as possible.
(1b) In the vehicle control system 1A described above, each of the calculation units A100, B200, and C300 fails in S212, S222, and S232 if any of the other calculation units A100, B200, and C300 is normal. It is configured to transmit a stop command for stopping the output to the unit.

According to such a configuration, it is possible to cut off the output from the malfunctioning portion that may adversely affect the running control of the vehicle.
(1c) The vehicle control system 1A is capable of receiving a stop command transmitted from each of the computing units A100, B200, and C300. AND gates 12, 13, 14 configured to stop the .
According to such a configuration, it is possible to prevent a single failure of the operation unit on the monitoring result output side from affecting the operation unit on the reset input side, and to reliably reset only the operation unit that is malfunctioning. can.
(1d) The vehicle control system 1A has latch circuits 15, 16, and 17 configured to continue outputting the stop command to the faulty part until at least after the start of the fail-safe process when the stop command is transmitted. further provide.

According to such a configuration, it is possible to suppress the output from the failure part at least until after the start of the fail-safe process.
[2. Second Embodiment]
[2-1. Differences from First Embodiment]
Since the basic configuration of the second embodiment is the same as that of the first embodiment, differences will be described below. Note that the same reference numerals as in the first embodiment indicate the same configurations, and refer to the preceding description.

In the first embodiment described above, it is configured to monitor whether or not the plurality of arithmetic units A100, B200, and C300 are mutually faulty. Since the purpose of monitoring is to detect a failure in any one computing unit under normal control and to detect double failures in the remaining computing units during the failure of one computing unit, a monitoring system capable of realizing these If it is

Specifically, in the second embodiment, each of the arithmetic units A100, B200, and C300 is monitored by one or more other arithmetic units, and after the occurrence of the first failure, the remaining two mutually monitor each other. is different from the first embodiment in that it is switched to perform As a result, it is possible to reduce the processing resources for monitoring each calculation unit in the normal control state.

[2-2. Constitution]
FIG. 7 shows a vehicle control system 1B of the second embodiment. In the left diagram of FIG. 7, when each of the arithmetic units A100, B200, and C300 is in the normal control state, the arithmetic unit A100 becomes the arithmetic unit B200, the arithmetic unit B200 becomes the arithmetic unit C300, and the arithmetic unit C300 becomes the arithmetic unit A100. Indicates the monitored configuration. That is, in the vehicle control system 1B, each of the computing units A100, B200, and C300 is configured to be monitored by one computing unit different from one computing unit that is monitored by a certain computing unit. are connected in a ring, and all the arithmetic units A100, B200, and C300 are configured to be monitored by any one of the arithmetic units.

Further, the right diagram of FIG. 7 illustrates a case where, when the arithmetic unit A100 fails, the arithmetic units B200 and C300 are switched to monitor each other. In other words, when each of the arithmetic units A100, B200, and C300 recognizes that the arithmetic unit to be monitored is a faulty unit, each of the arithmetic units A100, B200, and C300 assigns the faulty unit is configured to add a computing unit that has been monitored.

[2-3. process]
Next, the monitoring process executed by each of the arithmetic units A100, B200, and C300 of the second embodiment in place of the monitoring process of the first embodiment will be described using the flowchart of FIG. Note that the description of this process is partially simplified.

In the monitoring process of the second embodiment, each of the computing units A100, B200, and C300 determines in S210 whether or not the computing unit to be monitored has failed. Here, an example in which the arithmetic unit A100 fails will be described. In addition, when the calculation unit B200 or the calculation unit C300 fails, although the explanation is omitted, the processing corresponding to the processing described below may be performed according to the malfunctioning calculation unit.

If it is determined in S210 that the arithmetic unit A100 has failed, in S81 shown in FIG. 8, the arithmetic unit B200 detects an abnormality in the arithmetic unit A100 and outputs W21. At this time, the calculation unit B200 notifies the calculation unit C300 that it has detected an abnormality in the calculation unit A100.

Then, the calculation unit B200 starts monitoring the calculation unit C300. That is, the computing unit B200 transitions from the state of monitoring only the computing unit A100 to the state of monitoring the computing unit C300 as well. The calculation unit C300 has already monitored the calculation unit B200, and when the calculation unit B200 starts monitoring the calculation unit C300, the calculation units B200 and C300 start monitoring each other.

Subsequently, in S82, the calculation unit C300 receives from the calculation unit B200 the abnormality detection notification of the calculation unit A100, confirms that the monitoring of the calculation unit B200 is normal, and then outputs W31 to ON. The reason for confirming that the arithmetic unit B200 is monitoring normally is that if the arithmetic unit B200 is out of order, the abnormality detection notification of the arithmetic unit A100 itself becomes unreliable information. If the arithmetic unit B200 is monitoring normally, it can be correctly determined that the arithmetic unit A100 is out of order because the abnormality detection notification of the arithmetic unit A100 is reliable information.

From S82 onwards, it is preferable to perform the processing from S213 onwards.
[2-4. effect]
According to the second embodiment described in detail above, the effect (1a) of the first embodiment described above is obtained, and the following effects are also obtained.

(2a) In the vehicle control system 1B described above, each of the computing units A100, B200, and C300 is configured such that all of the computing units A100, B200, and C300 are monitored by one or more computing units. 1 or more if the operating unit to be monitored is recognized as a faulty unit, and if the operating unit to be monitored by the faulty unit is not monitored by any normal unit other than the faulty unit is configured to add, to the monitoring target of the normal section, the computing section that was the monitoring target of the fault section.

According to such a configuration, the computing units A100, B200, and C300 are configured to be monitored by one or more computing units, and when any of the computing units A100, B200, and C300 fails, some Since the configuration is such that other calculation units are added to the monitoring targets of the above calculation units, there is no need for all the calculation units A100, B200, and C300 to always monitor two or more calculation units. Therefore, it is possible to reduce the number of data exchanges among the arithmetic units A100, B200, and C300, and to simplify the configuration.
In the above-described second embodiment, when there is no failure, the arithmetic units A100, B200, and C300 are configured to monitor one arithmetic unit in order to perform ring-shaped monitoring. Any configuration may be employed as long as the arithmetic units A100, B200, and C300 are monitored by one or more arithmetic units. For example, a configuration may be adopted in which the computing unit A100 is monitored by the computing unit B200, the computing unit B200 is monitored by the computing unit C300, and the computing unit C300 is monitored by the computing units A100 and B200. The units B200 and C300 may be configured to be monitored by the arithmetic unit A100.

[3. Third Embodiment]
[3-1. Differences from First Embodiment]
In the first embodiment described above, a fail-safe signal is output when a plurality of calculation units fails. On the other hand, the third embodiment is different from the first embodiment in that a fail-safe signal is output even if a single failure occurs in a specific arithmetic unit.

Specific calculation units include, for example, calculation units that may hinder the running of the vehicle due to failure, especially important calculation units, and calculation units that should not normally fail. be done.
Here, an example will be described in which the fail-safe signal is output when the arithmetic unit C300 fails even if the other arithmetic units do not malfunction.

[3-2. Constitution]
As shown in FIG. 9, the vehicle control system 1C of the third embodiment has a configuration in which the AND gate 14, the latch circuit 17, and the signal lines related to these circuits are omitted from the vehicle control system 1A of the first embodiment. is. That is, in the vehicle control system 1C, even if the calculation unit C300 outputs an abnormal signal, the fail-safe signal is output and the vehicle can be stopped safely. RST3 becomes unnecessary.

[3-3. process]
Next, monitoring processing executed by each of the arithmetic units A100, B200, and C300 of the third embodiment in place of the monitoring processing of the first embodiment will be described using the flowchart of FIG.

In the monitoring process of the third embodiment, each of the arithmetic units A100, B200, and C300 determines whether or not the arithmetic unit to be monitored has failed in S210 described above.
If it is determined in S210 that the arithmetic unit C300 has failed, in S91 shown in FIG. 9, the arithmetic unit A100 and/or the arithmetic unit B200 output the fail-safe signals FS1 and FS2. As a result, as shown in S92, the FS is turned ON, and the vehicle can be stopped safely.

Note that if it is determined in the process of S210 that a calculation unit other than the calculation unit C300 has failed, the monitoring process may be performed in the same manner as in the first embodiment, so description thereof will be omitted.
[3-4. effect]
According to the third embodiment described in detail above, the effect (1a) of the first embodiment described above is obtained, and the following effects are also obtained.

(3a) In the above-described vehicle control system 1C, the calculation units A100, B200, and C300 determine whether or not the occurrence of a faulty part will hinder the running of the vehicle, and determine that the running of the vehicle will be hindered. Then, even if any one of the other arithmetic units A100, B200, and C300 is normal, an output indicating that the fail-safe process is to be performed is made.

According to such a configuration, if the arithmetic units A100, B200, and C300, which may hinder the running of the vehicle, become a failure unit, fail-safe processing can be performed, so that the vehicle can be controlled more safely. can do.

(3b) In the vehicle control system 1C described above, the configuration for resetting the calculation unit C300 is omitted. With such a configuration, the cost of providing the signal line of RST3 can be reduced.

(3c) The vehicle control system 1C determines whether or not the predetermined specific calculation units A100, B200, and C300 are failure units. Even if less than the specified number of operation units out of the operation units are faulty units, an output indicating that the fail-safe processing is to be performed is performed.

According to such a configuration, when a specific calculation unit such as an important calculation unit or a calculation unit that should be unlikely to fail becomes a failure unit, fail-safe processing can be performed even if there are a plurality of normal units. Therefore, the vehicle can be controlled more safely.

(3d) Whether or not the vehicle control system 1C is adopted may be determined from the cost-effectiveness of providing the RST3 signal line. For example, if the computation unit C300 does not need to have a complicated function such as performing only simple monitoring, the computation unit C300 can be realized by a relatively small and simple IC that does not have a CPU or memory. good too.

Since it is realized by a simple IC, if the single failure rate of the operation part C300 is much lower than the probability of double failures of the operation part A100 and the operation part B200, that is, with a high probability, the operation part C300 If the double failure of the arithmetic unit A100 and the arithmetic unit B200 occurs before the single failure, the provision of the RST3 signal line is less cost-effective. good.

In addition, when there is a calculation unit that is absolutely necessary for continuation of running, the vehicle cannot continue running when the calculation unit fails. A fail-safe signal may be output from another computing unit.

[4. Fourth Embodiment]
[4-1. Differences from First Embodiment]
The vehicle control system 1A of the first embodiment described above is configured with three calculation units. On the other hand, the vehicle control system 1D of the fourth embodiment differs from the first embodiment in that it includes four or more calculation units.

In other words, even when any one of the four or more computing units fails, it is sufficient that the remaining computing units can continue control and monitoring. Also, if two arbitrary calculation units fail, at least one remaining calculation unit should be capable of outputting a fail-safe signal.

[4-2. Constitution]
FIG. 11 is an example of a system configuration with four calculation units. The vehicle control system 1D further includes an arithmetic unit D400, an AND gate 18, and a latch circuit 19. The calculation unit D400 has, for example, the same hardware configuration as other calculation units, and executes arbitrary preset vehicle control.

In the vehicle control system 1D, one computing unit mutually monitors two adjacent computing units. However, computing units that are not adjacent and that are diagonally positioned in FIG. 11 do not need to monitor each other.

The AND gate 18 performs output based on W14 and W34 output from the arithmetic section A100 and the arithmetic section C300. Latch circuit 19 receives the output of AND gate 18 and operates in the same manner as other latch circuits 15-17.

[4-3. process]
Next, the monitoring processing executed by the computing units A100, B200, C300, and D400 of the fourth embodiment in place of the monitoring processing of the first embodiment will be described using the flowchart of FIG. FIG. 12 shows the details of the flow when, for example, the arithmetic unit A100 fails as the first failure.

In the monitoring process of the fourth embodiment, each of the computing units A100, B200, C300, and D400 determines in S210 whether or not the monitored computing unit has failed. When it is determined in S210 that the arithmetic unit A100 has failed, in S121 shown in FIG. 12, the arithmetic unit B200 or the arithmetic unit D400 detects an abnormality in the arithmetic unit A100 and outputs W21 and W41.

As a result, as shown in S122, RST1 is turned ON, and operation and output of the arithmetic unit A100 are stopped. Then, in S123, computing unit B200 or computing unit D400 notifies computing unit C300 that it has detected an abnormality in computing unit A100.

Subsequently, in S124, the calculation unit C300 receives the abnormality detection notification of the calculation unit A100 from the calculation unit B200 or the calculation unit D400, confirms that the monitoring of the calculation unit B200 or the calculation unit D400 is normal, The abnormality of the arithmetic unit A100 is stored in the memory. The reason for confirming that the arithmetic unit B200 or the arithmetic unit D400 is normal is that if the arithmetic unit B200 or the arithmetic unit D400 fails, the arithmetic unit B200 or the arithmetic unit D400 detects an abnormality in the arithmetic unit A100. This is because the notification itself becomes unreliable information. If the arithmetic unit B200 or the arithmetic unit D400 is normally monitored, the abnormality detection notification of the arithmetic unit A100 is reliable information, so that it can be correctly determined that the arithmetic unit A100 is out of order.

Then, in S125, the calculation units B200, C300, and D400 continue the control in the normal control state, and at least one of the calculation units starts substituting the vehicle control function of the calculation unit A100. Then, the calculation unit B200 and the calculation unit C300 continue to monitor each other, and the vehicle can continue running in a state where the calculation unit D400 and the calculation unit C300 continue to monitor each other.

Subsequently, the processing when the arithmetic unit A100 is out of order will be described with reference to the flowchart of FIG. During the failure of the arithmetic unit A100, in S1301, the arithmetic units B200, C300, and D400 continue running control during the failure of the arithmetic unit A100. determine whether That is, it is determined whether or not a second failure, which is a failure of another arithmetic unit, has occurred during the failure of the arithmetic unit A100, which is the first failure.

When the calculation unit C300 recognizes that the calculation unit B200 has failed, the calculation unit C300 performs the processing from S1312 onwards. Further, when the calculation unit B200 or the calculation unit D400 recognizes that the calculation unit C300 has failed, the calculation unit B200 or the calculation unit D400 performs the processing from S1322 onwards. Further, when the calculation unit C300 recognizes that the calculation unit D400 has failed, the calculation unit C300 performs the processing from S1332 onwards.

In S1312, the calculation unit C300 detects an abnormality in the calculation unit B200, and recognizes the double failure of the calculation units A100 and B200.
Subsequently, in S1313, the calculation unit C300 turns on FS3 as fail-safe processing. As a result, as shown in S1314, FS is turned ON, and the vehicle can be stopped safely. That is, when the arithmetic unit C300 recognizes the malfunction of the other arithmetic units together with the malfunction of the arithmetic unit A100 stored in S124, it can recognize that there is a double failure, so that the fail-safe process can be performed satisfactorily. It can be carried out.

On the other hand, in S1322, calculation unit B200 or calculation unit D400 detects an abnormality in calculation unit C300, and calculation unit B200 or calculation unit D400 recognizes a double failure of calculation units A100 and C300. Subsequently, in S1323, the calculation unit B200 or the calculation unit D400 turns on FS2 as fail-safe processing. As a result, as shown in S1324, FS is turned ON, and the vehicle can be stopped safely.

Also, in S1332, the arithmetic unit C300 detects an abnormality in the arithmetic unit D400, and the arithmetic unit C300 recognizes the double failure of the arithmetic units A100 and D400.
Subsequently, in S1333, the calculation unit C300 turns on FS3 as fail-safe processing. As a result, as shown in S1334, FS is turned ON, and the vehicle can be stopped safely.

In the process of S210, when it is determined that a calculation unit other than the calculation unit C300 has failed, the processing corresponding to S121 and subsequent steps may be executed according to the failed calculation unit other than the failed calculation unit. Description is omitted because it is sufficient.

[4-4. effect]
According to the fourth embodiment described in detail above, the effect (1a) of the first embodiment described above is obtained, and the following effects are also obtained.

(4a) The vehicle control system 1D of the fourth embodiment includes four or more calculation units. According to such a configuration, it is possible to cope with a double failure even in a configuration in which the number of arithmetic units is four or more.

[5. Other embodiments]
Although the embodiments of the present disclosure have been described above, the present disclosure is not limited to the above-described embodiments, and various modifications can be made.

(5a) In the above embodiment, in principle, fail-safe processing is performed when two computing units fail, but the present invention is not limited to this. For example, in a configuration including a large number of arithmetic units, fail-safe processing may be performed when, for example, three or more arithmetic units fail. That is, the calculation units A100, B200, C300, and D400 are configured such that the faulty calculation units A100, B200, C300, and D400 are the faulty units, and the non-faulty calculation units A100, B200, C300, and D400 are the normal units. If more than a specified number of operation units preset to 3 or more among the units is a failure unit, an output indicating that a preset fail-safe process is to be performed is performed, and the specified number of the other operation units is output. If less than the number of calculation units A100, B200, C300, and D400 are failure units, the normal units may be configured to output an output indicating that the vehicle running control different from the fail-safe process is to be performed.

(5b) A plurality of functions possessed by one component in the above embodiment may be realized by a plurality of components, or a function possessed by one component may be realized by a plurality of components. . Also, a plurality of functions possessed by a plurality of components may be realized by a single component, or a function realized by a plurality of components may be realized by a single component. Also, part of the configuration of the above embodiment may be omitted. Moreover, at least part of the configuration of the above embodiment may be added or replaced with respect to the configuration of the other above embodiment. It should be noted that all aspects included in the technical idea specified by the wording described in the claims are embodiments of the present disclosure.

(5c) In addition to the vehicle control systems 1A, 1B, 1C, and 1D described above, computing units A100, B200, C300, and D400, computing units A100, B200, The present disclosure is realized in various forms such as a vehicle control device including C300, a program for causing a computer to function as the vehicle control system 1A, a non-transitional actual recording medium such as a semiconductor memory recording this program, and a monitoring method. You can also

[6. Correspondence between the configuration of the embodiment and the configuration of the present disclosure]
In the above embodiments, the vehicle control systems 1A, 1B, 1C, and 1D correspond to the vehicle control device referred to in the present disclosure, the AND gates 12, 13, 14, and 18 correspond to the stop output units referred to in the present disclosure, and the latch circuits Reference numerals 15, 16, 17, and 19 correspond to output continuation units referred to in the present disclosure. Among the processes executed by the arithmetic units A100, B200, C300, and D400, the processes of S210, S302, S402, S502, and S1302 correspond to the fault recognition unit referred to in the present disclosure, and S214, S224, S234, S313, The processing of S323, S413, S423, S513, S523, S91, S125, S1313, S1323 and S1333 corresponds to the control output section.

Further, the processing of S212, S222, S232, S81, S82, and S121 corresponds to the stop transmission unit referred to in this disclosure, the processing of S81 corresponds to the additional setting unit referred to in this disclosure, and the processing of S210 corresponds to It corresponds to a trouble determination unit and a failure determination unit.

1A, 1B, 1C, 1D... Vehicle control system, 11... OR gate, 12, 13, 14, 18... AND gate, 15, 16, 17, 19... Latch circuit, A100, B200, C300, D400... Operation part.

Claims (6)

A vehicle control system (1A, 1B, 1C, 1D),
Each calculation part is
a fault recognizing unit (S210, S302, S402, S502, S1302) configured to recognize that other calculating units other than the relevant calculating unit are out of order;
A case where a malfunctioning arithmetic unit is defined as a malfunctioning unit, a normal arithmetic unit is defined as a non-faulty arithmetic unit, and the malfunctioning unit is a predetermined number or more of the other arithmetic units that is set to a number equal to or greater than 2 in advance. , an output indicating that a preset fail-safe process is to be performed, and if the number of operation units less than the specified number among the other operation units is the failure unit, the normal unit is the fail-safe process A control output section (S214, S224, S234, S313, S323, S413, S423, S513, S523, S91, S125, S1313, S1323, S1333) configured to perform an output indicating that running control of different vehicles is to be performed When,
A stop output unit (12, 13) capable of receiving a stop command transmitted from each of the calculation units and configured to stop the output of the malfunctioning unit only when receiving a stop command from two or more calculation units , 14, 18) and
with
The control output unit is a stop transmission unit (S212, S222, S232 , S81, S82, S121),
further comprising
The stop output unit includes an AND gate configured to receive a stop command from each of the calculation units and output a logical product.
vehicle control system. A vehicle control system according to claim 1 ,
an output continuation unit (15, 16, 17, 19) configured to continue outputting the stop command to the faulty unit until at least after the start of the fail-safe process when the stop command is transmitted;
A vehicle control system further comprising: A vehicle control system according to claim 1 or claim 2 ,
Each computing unit
All computing units are configured to be monitored by any one or more computing units,
When the failure recognizing unit recognizes that the operation unit to be monitored by the operation unit is a failure unit, one or more normal units are to be monitored by the normal unit, and the failure unit is to be monitored. An additional setting unit (S81) configured to add a calculation unit that was set as
A vehicle control system further comprising: A vehicle control system according to any one of claims 1 to 3 ,
a trouble determination unit (S210) that determines whether or not the occurrence of a faulty part will hinder the running of the vehicle;
further comprising
When it is determined that the running of the vehicle will be hindered, the control output unit performs the fail-safe operation even if the number of operation units less than the specified number among the other operation units is the failure unit. A vehicle control system configured to output an indication that processing is to be performed. Claim 1 to claim41. The vehicle control system according to any one of
a plurality of said a failure determination unit (S210) that determines whether or not a specific operation unit representing a preset operation unit among the operation units is the failure unit;
further comprising
When it is determined that the specific arithmetic unit is the faulty unit, the control output unit controls the above Output to the effect that fail-safe processing will be performed
A vehicle control system configured to: A vehicle control device (1A, 1B, 1C, 1D),
Each calculation part is
a fault recognizing unit (S210, S302) configured to recognize that other calculating units other than the relevant calculating unit are out of order;
A case where a malfunctioning arithmetic unit is defined as a malfunctioning unit, a normal arithmetic unit is defined as a non-faulty arithmetic unit, and the malfunctioning unit is a predetermined number or more of the other arithmetic units that is set to a number equal to or greater than 2 in advance. , an output indicating that a preset fail-safe process is to be performed, and if the number of operation units less than the specified number among the other operation units is the failure unit, the normal unit is the fail-safe process A control output section (S214, S224, S234, S313, S323, S413, S423, S513, S523, S91, S125, S1313, S1323, S1333) configured to perform an output indicating that running control of different vehicles is to be performed When,
A stop output unit (12, 13) capable of receiving a stop command transmitted from each of the calculation units and configured to stop the output of the malfunctioning unit only when receiving a stop command from two or more calculation units , 14, 18) and
with
The control output unit is a stop transmission unit (S212, S222, S232 , S81, S82, S121),
further comprising
The stop output unit includes an AND gate configured to receive a stop command from each of the calculation units and output a logical product.
Vehicle controller.

Images