JP2001084134A - On-vehicle electronic controller and program rewriting device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To prevent the runaway of a CPU by preventing any rewriting miss at the time of rewriting with respect to a storage device storing each program while divided into plural blocks. SOLUTION: An on-vehicle electronic controller 2 is provided with a CPU 7 for executing a program, a peripheral circuit 6 for operating input processing from a sensor group 4 and output processing to an actuator group 5 and input and output processing with a program rewriting device 9 based on the command of the CPU 7, and a storage device 8 for storing the program or data of the input processing from the sensor group 4 and the output processing to the actuator group 5 and the arithmetic processing of the CPU 7 and storing each kind of program in each divided storage block. In this case, a flag indicating the validity/invalidity of the program or data is stored in each storage block of the storage device 8, and after the program is written, and the program is collated, and then the validity/invalidity of the program is confirmed, this flag is written.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

TECHNICAL FIELD The present invention is mounted on a vehicle,
The present invention relates to an electronic control device used for engine control, travel control, and the like, and particularly to an in-vehicle electronic control device having a function of preventing a malfunction due to a mistake in writing a program, and a program rewriting device therefor.

[0002]

2. Description of the Related Art FIG. 2 is a block diagram showing a connection state between a general on-vehicle electronic control device (hereinafter referred to as an ECU) and a program rewriting device for rewriting programs and data of the ECU. In the figure, 1 is a vehicle on which the ECU 2 is mounted, 3 is a battery mounted on the vehicle 1 and serving as a power source of the ECU 2, 4 is sensors and the like for detecting the state of each part of the vehicle 1, 5 is each part of the vehicle 1 according to an instruction of the ECU 2 Actuators that operate. The ECU 2 includes an input circuit from the sensors 4, an output circuit to the actuators 5, a peripheral circuit 6 including an input / output circuit with a program rewriting device described later, and a central processing unit (hereinafter, referred to as a central processing unit) that controls the entire ECU 2. And a storage device 8 for storing programs and data read and executed by the CPU 7. The storage device 8 is, for example, a rewritable ROM or the like. Data is stored in a plurality of storage blocks 8a to 8d (blocks A to D in the figure) divided for each program.

A program rewriting device 9 includes an input / output circuit 11, a central processing unit (hereinafter referred to as a CPU) 12 for controlling the entire program rewriting device 9, and a storage unit 13
And an operation unit 14, and an EC mounted on the vehicle 1.
U2 is connected by the harness 10 when rewriting the program. The storage unit 13 stores a program that is read by the CPU 12 to control the entire program rewriting device 9, a rewriting program for rewriting a program of the ECU 2 mounted on the vehicle 1, and data. A power supply path from the battery 3 of the vehicle 1 and a communication line between the CPU 7 and the CPU 12 are configured.

In the vehicle-mounted electronic control device and program rewriting device configured as described above, the E-
When the power is supplied to the CU 2, the CPU 7 reads out a program for controlling the entire ECU 2 stored in a specific storage block of the storage device 8 and starts the operation. Storage device 8
In addition to the program for controlling the entire ECU 2, programs and data for detecting the state of each part of the vehicle 1 by various sensors 4, control procedures and driving times of the actuators 5, etc. Is stored in each storage block 8a for each program.
The CPU 7 reads out these programs, inputs data from the sensors 4 via the peripheral circuit 6, outputs control and drive signals for the actuators 5, and outputs signals to the engine 7 of the vehicle 1. Control and control of a traveling system such as a transmission.

When it is desired to change the control contents of the engine control and the traveling system control stored in advance, it is necessary to rewrite the contents of the programs and data stored in the corresponding storage blocks of the storage device 8. To change such stored information, the program rewriting device 9 is connected to the ECU 2 via the harness 10 and the CP of the program rewriting device 9 is changed.
U12 and the CPU 7 of the ECU 2 are made communicable via the input / output circuit 11 and the peripheral circuit 6, and the rewriting program and data information stored in the storage unit 13 of the program rewriting device 9 are stored in the storage device 8 of the ECU 2. Is transferred to the storage block to be rewritten and rewritten.

The rewriting procedure is as follows. First, the CPU 12 of the program rewriting device 9 reads out programs and data stored in the storage unit 13. The program and the data are a program for controlling the entire program rewriting device 9 and a rewriting program and data for rewriting the program of the ECU 2 as described above, and which program and data are stored in which storage block of the storage device 8 of the ECU 2. Is written. Subsequently, the CPU 12 of the program rewriting device 9 side
According to these programs, the storage device 8 on the ECU 2 side
A block erase command is transmitted to erase the storage contents of the storage block to be rewritten, and the ECU 2 side CP
U7 receives this command and erases the storage contents of the storage block instructed by the storage device 8.

Upon detecting that the storage contents of the storage block to be rewritten in the storage device 8 of the ECU 2 have been erased, the program rewriting device 9 sends a program or data to be written to this storage block to the ECU 2 and the CPU of the ECU 2
Receiving this, the new program and data are written in the storage block of the storage device 8 to be rewritten, and the rewriting is completed. If the rewriting program or data must not be easily analyzed, the rewriting program or data is encrypted and stored in the storage unit 13 of the program rewriting device 9, and is decoded by the CPU 7 upon reception and stored in the storage device 8 in the storage block to be rewritten. Can also be written to.

[0008]

As described above, the ECU 2
Programs and data that are stored in the storage device 8 and that are rewritten and stored are read from each storage block as needed, and the CPU 7 controls the vehicle 1. However, these programs and data are defective or missing. If there is, the program may run away and the vehicle 1 may fall into a state where safety cannot be ensured. Since the rewriting of the program is performed by the operator when a correction or change is necessary, a human error may occur, and the program in the storage block of the storage device 8 may remain in the erased state. Or a halfway write state. In addition, defects or omissions may occur in the rewritten program due to a failure of the program rewriting device 9 or the harness 10, or noise during transfer.
These program defects may cause malfunctions in vehicle control or cause program runaway.

As described above, the storage device 8 stores a program for different control in each of the divided storage blocks. However, when the program is changed in only some of the storage blocks, the above-mentioned human error is caused. Conventionally, even when the program is changed only for a specific storage block, in order to avoid a program runaway due to a work error as described above, the specific storage block is not partially rewritten, A technique of erasing and rewriting the entire area has been adopted. For this reason, it is necessary to store the entire amount of information for rewriting in the storage unit 13 of the program rewriting device 9, the storage unit 13 has a large capacity, the program rewriting device 9 becomes expensive, and In addition, there is a problem that the increase in the rewriting time leads to an increase in the risk of causing a program defect due to noise.

SUMMARY OF THE INVENTION The present invention has been made to solve such a problem, and a flag for judging the quality of a program is provided in each of a plurality of storage blocks storing a program of a storage device. By doing so, it is possible to prevent rewriting errors of the program, prevent trouble such as runaway of the CPU, enable rewriting of only the storage block to be changed, and shorten the rewriting time.

[0011]

According to the present invention, there is provided an on-vehicle electronic control device which includes a CPU for executing a program, an input process from sensors, an output process for actuators, and a program rewriting device based on a command from the CPU. Peripheral circuits that perform input / output processing with the CPU, programs and data for input processing from sensors, output processing for actuators, and arithmetic processing of the CPU are stored, and are divided into a plurality of storage blocks. A storage device in which various programs and data are stored for each, and a flag indicating the quality of each of the stored programs and data is stored in each storage block of the storage device,
This flag is written after a program is written in the storage block and the program is checked to determine whether it is good or not.

A flag indicating the quality of the program is
When the program and data in the storage block are erased, it is determined that the storage block is not normal. Further, a program stored in at least one of the plurality of divided storage blocks determines a flag indicating the pass or fail of each storage block, and when any one of the flags indicates that the program is not normal, The output processing is stopped. Furthermore, when the flag is determined and the program is determined to be abnormal, a warning display is output. Further, each program stored in each divided storage block is constituted by the minimum unit which does not affect the function of the program of another storage block even if the program is erased collectively.

The program rewriting device includes a CPU for executing the program, an input / output circuit for outputting the rewriting program based on an instruction from the CPU, and a storage unit for storing the rewriting program and an arithmetic processing program for the CPU. In rewriting a program of a vehicle-mounted electronic control device having a storage device that is divided into a plurality of storage blocks and stores various programs for each storage block, the rewriting of the program is performed by a storage block that is a program change target of the storage device. And the rewritten storage blocks are collated to determine whether the rewritten program is good or bad.

Further, the rewritten storage block is collated, and if the program of the storage block is determined to be normal, a flag indicating that the program is normal is set in the storage block. .
Still further, the rewriting program stored in the storage unit of the program rewriting device is constituted by a minimum unit which does not affect the functions of other programs even if the program is erased in a batch.

[0015]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Embodiment 1 FIG. 1 shows a configuration of a program stored in a storage device of an on-vehicle electronic control device according to Embodiment 1 of the present invention. The on-vehicle electronic control device and the program rewriting device are described in FIG. Configuration is used. In FIG. 1, 8a to 8d
Indicates storage blocks of the storage device 8, and shows an example in which the storage device 8 is divided into four storage blocks, each of which is a block A, a block B, a block C, and a block D. Each storage block 8a or 8d
Stores programs and data necessary for controlling the vehicle in different storage blocks for each program. These programs include a program for controlling the entire ECU 2,
These are programs and data of recognition procedures and control values for detecting the state of each part of the vehicle 1 by various sensors 4 and programs and data of control procedures and driving times of the actuators 5. The number of divisions of the storage block is determined by the number of types of the program, and the size of the storage block is determined by the size of the program or data. Also,
An address indicating a storage location is assigned to information such as a program, and the CPU 7 reads out the program and data by designating the address.

Reference numeral 15 denotes a program start address which is read first when the CPU 7 starts operating, and is stored in, for example, the storage block 8a of the storage device 8,
7 reads the start address 15 and selects and reads a program to be executed from the addresses of the programs stored therein. Reference numeral 16 denotes a first operating program stored in the storage block 8a together with the program start address 15, which is read first by the CPU 7 and
2 shows a program for operating the program. CPU7
Does not function when the program start address 15 is missing, or enters an infinite loop state,
The operation command is not issued to the actuators 5, so that the vehicle 1 does not start and is kept in a safe state.

Reference numerals 17 to 20 indicate pass / fail flags provided in the divided storage blocks 8a to 8d. The pass / fail flags 17 to 20 are described by a sum check value, an encryption code, or the like. If the program or data stored in the storage block is not missing or defective, it indicates a good state, and if there is a missing or defect, it indicates a bad state if it is erased. The pass / fail flag 17 or 20 is read out to the program 16 which operates first, and if each flag is good, the operation is continuously performed. 5 is operated so that the safety of the vehicle 1 is ensured. In addition, the program 16 that operates first activates a warning display device (not shown) provided in the vehicle 1 and detects any defect or omission of the program or data in any of the storage blocks 8a to 8d of the storage device 8. For example, it can have a function of displaying this.

In the configuration of the first embodiment of the present invention configured as described above, when rewriting a program or the like used for the on-vehicle electronic control unit, the ECU 2 and the program rewriting device 9 are connected in the same manner as in the above-described conventional example. Connected by harness 10. The CPU 12 of the program rewriting device 9 follows the program read from the storage unit 13 and
Sends a block erasure command to the CPU 7 of the ECU 2 in order to erase the storage contents of the storage block to be rewritten in the storage device 8, and the CPU 7 receives the command and receives the command to store the storage contents of the storage block to be rewritten. To delete. When the erasure of the storage of the storage block to be rewritten is recognized, the program rewriting device 9 transmits a program or data to be written to the erased storage block to be rewritten to the CPU 7 of the ECU 2, and the CPU 7 Write programs and data to storage blocks.

The writing procedure is as follows. First, the writing is started from the program and data information excluding the pass / fail flag in the information to be written in the storage block to be rewritten, and when the writing of the program or data is completed, the writing is normally performed by the program rewriting device 9. Whether or not the rewritten memory block is checked using a general method such as a sum or a CRC method. If it is confirmed that the program and the data are normally written, the pass / fail flag is written and the program start address 15 is written. In the collation after the completion of the writing, if the written program is missing or defective, the corresponding storage block is erased and written again, and the pass / fail flag is not written until the writing is confirmed to be normal. Not done. If the pass / fail flag has not been written, the pass / fail flag is determined to be a rejected state.

In the above program rewriting, for example, the start address 1 shown in the storage block 8a of FIG.
If 5 is erased or defective, the pass / fail flag 17 will be in a negative state, the entire program will not be executed, and will not function as described above, or will be in an infinite loop state, and no operation command will be issued, so the vehicle 1 will be safe. Kept in state. When the program or data in the storage block 8b is erased or has a defect, the pass / fail flag 18 is set to a negative state,
The program 16 that operates first determines this and determines whether the vehicle 1
Is stopped, and the vehicle 1 is maintained in a safe state. The storage block 8c and the storage block 8d are the same as the storage block 8b, and the program 1 that operates first
The vehicle 1 is kept in a safe state by the determination of the flag of No. 6.
Further, when a missing part is generated due to a trouble during rewriting of the program or when the program 16 is used without being noticed in a state where the writing is interrupted, the pass / fail flag indicates a negative state. The control is stopped and the vehicle 1 is kept in a safe state.

As described above, the memory block in which the program has been rewritten is checked by the program rewriting device 9 after the rewriting, and the rewriting is repeated until the rewriting is confirmed to be normal. After that, the pass / fail flag indicates a good state, so that the storage block that needs to be changed can be surely rewritten, and the entire storage device 8 is rewritten as in the prior art for a partial change. It is not necessary, and even if only the storage block storing the program to be changed is rewritten, the rewriting time can be greatly reduced without causing a program error. For example, if the storage device 8 is 1
When the data is divided into six parts and only one block needs to be rewritten, the rewriting time is reduced to 1/16.

Furthermore, if the minimum unit which does not affect other programs even if the program or data is erased is divided so as to be stored in one functional block, other programs can be stored even if the memory blocks are erased collectively. The data amount at the time of rewriting can be minimized without impairing the function of the program rewriting device.
And the storage capacity of the storage unit 13 can be minimized.
Although the above-described writing procedure has been described for the case where the storage block to be rewritten is rewritten, the rewriting can be performed by the same procedure even when the rewriting is performed for the entire area of the storage device 8.

[0023]

As described above, according to the on-vehicle electronic control device and the program rewriting device of the present invention, the ECU
Divides the storage device built in to multiple storage blocks,
The program start address and various control programs are individually stored in each divided storage block, and a pass / fail flag is provided for each storage block to indicate that the program in the block is not missing or defective. Rewrite from information other than the flag, confirm that the program has been written correctly, write the pass / fail flag, determine the pass / fail of the pass / fail flag, and start or stop the control. As a result, troubles such as runaway of the CPU due to a program error can be prevented beforehand, the vehicle can be maintained in a safe state, and the program can be rewritten for each memory block. Of rewriting errors due to noise at the time of rewriting, and storage of program rewriting device Such as allowing the reduction of capacity and is,
An excellent in-vehicle electronic control device and program rewriting device can be obtained.

[Brief description of the drawings]

FIG. 1 shows a configuration of a program used in a vehicle-mounted electronic control device according to a first embodiment of the present invention.

FIG. 2 is a block diagram showing a connection state between a general in-vehicle electronic control device and a program rewriting device.

[Explanation of symbols]

1 vehicle, 2 electronic control unit for vehicle, 3 battery, 4
Sensors, 5 Actuators, 6 Peripheral circuits, 7
CPU, 8 storage devices, 8a, 8b, 8c, 8d storage block 9 program rewriting device, 10 harness, 11 input / output circuit, 12 CPU, 13 storage unit, 14 operation unit,
15 Program start address, 16 First running program, 17, 18, 19, 20 Pass / fail flag.

Claims (8)

[Claims] A CPU for executing a program;
Peripheral circuit for performing input processing from sensors, output processing for actuators, and input / output processing for a program rewriting device based on a PU command, input processing from the sensors, output processing for the actuators, and the CP
A program and data for the arithmetic processing of U are stored, and a storage device is provided which is divided into a plurality of storage blocks and stores the various programs and data for each of the storage blocks. Is stored together with a flag indicating the pass / fail of each of the stored programs and data.The flag is written into the storage block, and is written after the program is checked to determine whether the pass / fail is good. An in-vehicle electronic control device, characterized in that: 2. The in-vehicle electronic device according to claim 1, wherein the flag indicating the quality of the program is determined to be abnormal when the program or data in the storage block is erased. Control device. 3. A program stored in at least one of a plurality of divided storage blocks determines a flag indicating pass / fail of each storage block, and when any one of the flags indicates that the program is not normal, 3. The on-vehicle electronic control device according to claim 1, wherein output processing for the actuators is stopped. 4. The in-vehicle electronic control device according to claim 3, wherein a warning display is output when the flag is determined and the program is determined to be abnormal. 5. The program according to claim 1, wherein each of the programs stored in each of the divided storage blocks is constituted by a minimum unit which does not affect the function of the program of another storage block even if the program is erased collectively. An in-vehicle electronic control device according to any one of claims 1 to 5. 6. A CPU for executing a program;
An input / output circuit that outputs a rewrite program based on a PU command; and a storage unit that stores the rewrite program and an arithmetic processing program of the CPU. The storage unit is divided into a plurality of storage blocks, and various programs are stored in each of the storage blocks. In rewriting the program of the in-vehicle electronic control device having the stored storage device, the rewriting of the program is performed on the storage block to be changed of the program of the storage device, and the rewritten storage block is checked and rewritten. A program rewriting device configured to determine the quality of a program executed. 7. The rewritten storage block is collated,
7. The program rewriting device according to claim 6, wherein when the program of the storage block is determined to be normal, a flag indicating that the program is normal is set in the storage block. 8. The rewriting program stored in the storage unit,
8. The program rewriting device according to claim 6, wherein the program rewriting device is constituted by a minimum unit which does not affect functions of other programs even if the program is erased in a batch.