DE102007004729A1 - Electronic controller's hardware configuration verifying method for e.g. hydraulic processing machine, involves comparing detected signal with target signal, and executing control program at microcontroller depending on comparison result - Google Patents

Abstract

The method involves detecting a signal at a preset input terminal (30) of a microcontroller (20) of an electronic controller (1), and comparing the detected signal with a target signal. A control program is executed at the microcontroller depending on the result of the comparison, and a model variant of the microcontroller is detected. A memory chip (24) is selected, when the detected signal matches with the target signal, and a discarded hardware detection is compared with a target detection. An independent claim is also included for a controller with a microcontroller arranged on a printed circuit board.

Description

The The invention relates to a method for verifying a hardware configuration according to the generic term of patent claim 1. The invention further relates to a control device, in particular for a mobile hydraulic working machine.

Lots Vehicles, in particular hydraulic machines, agricultural Machinery and construction machinery today are equipped with electronic control units that the traction drive and the working devices, such as lifting cylinders, excavator buckets, etc. depending on control of operator signals. The control units take over simultaneously Demand-driven activation of the vehicle engine and a hydraulic Pump for supplying the drives. Control devices in the broader sense are also at inpatient industrial machines, e.g. B. in industrial automation available.

Various Variants of control devices within of a product group are often based on a common layout of the PCB and use the same type of microcontroller. The number of different for ECUs suitable microcontroller is as well as the number of available Memory models limited. For different Applications of a controller but different, especially for the particular application and for the specific equipment of the control unit developed customized control programs. The problem is that one for a specific controller developed control program on other, only slightly different ECUs at least partially executable is. Alone on the basis of a processor ID of the microcontroller and The basic functions of the device can be the control program the identity not recognize the underlying hardware.

The To run a control program on a non-scheduled and usually also differently wired control unit can lead to unpredictable and dangerous behavior of the vehicle or a stationary one Machine lead. It is therefore desirable at the beginning of the execution of the control program, the hardware platform used via a Identification within the control unit to identify properly. It So should be clearly identifiable, whether the control program on the associated, the programming underlying hardware platform used becomes.

It is common, identification data in a non-volatile memory - in the parameter memory or in the program memory - store. However, such a method has the disadvantage that the identification data must be programmed in a separate process and inadvertently overwritten during operation can be. Such an identifier is therefore expensive to implement and impairs in certain circumstances the reliability of the control unit.

outgoing From the prior art, it is the object of the invention, a Verification procedure for the review of a Hardware platform, the use of a possible easy-to-produce and software-not identifiable identifier in a control unit allows and at the same time the safety of the controlled machine guaranteed.

These The object is achieved by a method having the features of the patent claim 1 solved. Further, a control device indicated with a control program for performing such a method Is provided.

According to the present Invention is at a given input terminal of the microcontroller detects a signal and compares this with a default signal. A control program becomes dependent executed by the comparison result. This verification process allows it in the assembly the circuit board by setting an identifier that on a set input terminal of the microcontroller an identification signal by appropriate components, eg. B. a voltage divider, a frequency generator, etc., hardware side is fixed. Such an identifier covers differences in the printed circuit board as well as in the assembly is not and can not be deleted by a malfunction of the software. Furthermore, a large Number of variants can be distinguished.

For verification of the hardware configuration, only one input connection is queried. An activation of outputs or an external data bus is only performed after successful verification. During verification, the control unit remains inactive from an external point of view, ie in a state of a safe state with respect to the outputs of the microcontroller. B. corresponds to the reset state. The verification does not trigger a state change in the periphery of the microcontroller. Apart from the default signal, no peripheral education is required to perform the procedure. At the same time, the procedure is safe for the operator. The verification requires only a few processor cycles and is therefore available shortly after the start of the microprocessor. The method can be implemented programmatically simple and close to the machine. The method can be processed within an initialization phase of the microcontroller and can thus reliably prevent the execution of unsuitable control programs on the microcontroller. The verification method is also well suited for safety-critical applications, since with little effort a redundancy can be implemented by querying several different identifiers.

The Method is in particular for that suitable, similar equipment from one family and especially on identical printed circuit boards based assembly variants to distinguish. Between such control units is the risk of confusion especially high.

The The object of the present invention is based also solved by that a control unit -. B. for a Vehicle - specified which is with a printed circuit board, with one on the circuit board arranged microcontroller, with additional on the circuit board arranged electronic components and with a memory Is provided. In the memory is a on the microcontroller executable Program stored, the inventive method on the microcontroller performs.

Further, advantageous embodiments of the present invention are in specified in the dependent claims.

According to one preferred embodiment is additionally a model variant detected by the microcontroller and this with a model variant default compared. Execution the control program will be additional from the result of the comparison step with respect to this model variant dependent made. Preferably, the examination of the model variant of the Microcontroller even before detecting an external signal. Thereby can be pre-compatibility the microcontroller and the control program. Besides that is ensures that the microcontroller can be used selectively can, that is z. B. no outputs of the Microcontroller but only inputs are addressed and that z. B. an internal A / D converter is present to the periphery to verify. Consequently, a correct and for the operator safe execution a subsequent verification based on an external signal ensured. The model variant of the microprocessor serves as additional Information for verification of the hardware configuration and increases on the one hand the number of distinguishable hardware configurations as well as the other the security for the correct detection of a specific hardware configuration. The Model variant leaves z. B. by reading a processor ID or by checking Registers or addresses of the microcontroller for which after a reset fixed value, determine.

If at agreement of the detected signal with the default signal read out a memory block and a hardware identifier stored therein with a default identifier is compared reliability to further increase the detection of a particular hardware configuration and the Increase number of distinguishable hardware configuration. The advance check of the signal detected at the signal input ensured with a very high Probability that the hardware configuration exists for which the Control program was created, and thus the memory access succeeded accomplished becomes.

According to one Particularly preferred embodiment are given to at least two input terminals the microcontroller detects separate signals and each with a compared to the respective input terminal associated default signal. Such a verification is with the least effort - especially exclusively with internal resources of the microcontroller - feasible and guaranteed a high reliability and Security in the correct recognition of the intended hardware configuration. Furthermore can a big Number of hardware configurations are differentiated from each other.

Preferably is at the mentioned input terminal the signal voltage of an analog Signal detectable by z. B. an internal analog-to-digital converter of the microcontroller is used. Analog signal inputs are anyway with the control units typically used microcontroller present. An analogue signal with preset Tension leaves Simply by a voltage divider or a constant voltage source represent. The coding of the signal is done by using appropriate resistors, Zener diodes or voltage regulator ICs when assembling the hardware.

If a match of the analog signal with a default signal within a particular one Tolerance interval is detected, the analog signal through a simple circuit and / or low-cost electronic components be generated. In addition, the reliability of the controller is increased. one Can reduce the number of distinguishable hardware configurations be countered by using multiple identifiers.

When voltage divider circuits are used, there is a fundamental risk that the voltage read in will change due to an error (eg due to a drift) into another voltage. However, such a drift is reliably detected and evaluated as an error case if only a single tolerance interval is permitted for the verification of a specific hardware configuration. In addition, for additional protection, another In formations are included in the verification, eg B. Characteristics from a memory, as already described. In principle, the security of the method increases with the number of signals recorded and used for the verification. If z. B. two voltages generated by different equipment at different signal inputs are detected, all "common cause" errors - including those of the A / D converter - can be detected.

Preferably The verification process will take place during an initialization phase executed by the microcontroller. This reliably prevents the Control of actuators before the admissibility of the pairing of the control program and the hardware configuration is established. To continue safety increase, in particular with regard to expansion modules which can be connected during operation, can also in normal operation at regular intervals, the verification method of the invention be performed. If an error occurs during the verification of the hardware, the verification fails fails or leads to the conclusion that the hardware does not match the hardware, which underlies the development of the tax program remains the microcontroller in a predetermined safe state, with regard to the outputs of the microcontroller z. B. an initialization phase or a Reset state is comparable.

The control unit is for guarantee The safety preferably constructed so that the state of the outputs of Microcontroller in the initialization phase or during a Resets of the microcontroller for the actuators controlled to a predetermined safe state Episode has.

following For example, the present invention and its advantages are incorporated by reference explained in more detail on the embodiment shown in the figures.

1 represents the basic structure of a control device for a hydraulic machine and

2 shows a flow chart of an initialization phase of the microcontroller of in 1 illustrated control unit.

According to 1 is a control unit 1 for a hydraulic machine, z. As a construction vehicle, with multiple input and output terminals 10 . 11 . 12 . 13 . 14 . 15 provided, where it is connected to a supply voltage 3 , Input devices 5 of the operator, to a solenoid 6 for controlling a hydraulic valve 7 to an electric motor 8th for z. B. a fan and a displacement sensor 9 connected. The control unit 1 has a microcontroller on a circuit board 20 and one over a bus 22 connected memory module 24 , The output connections 12 and 13 be through the microcontroller 20 about power drivers 26 and 27 driven. The input terminals 10 and 14 lead the analog-to-digital converter 28 of the microcontroller 20 analog input signals too. A switching signal at the entrance 11 becomes a digital input terminal of the microcontroller 20 fed. From the input voltage 3 be via two stabilized voltage dividers 32 and 33 generates constant DC signals. These voltage signals are at the input terminals 30 and 31 of the microcontroller 20 and also by the analog-to-digital converter 28 detected.

In 2 is the operation of the controller 1 schematically illustrated by a flowchart. The procedure corresponds to a part of the initialization phase of the microcontroller 20 ,

First, in step s1 - usually after a reset of the microcontroller 20 - Starting a control program on the microcontroller 20 , This assumes that the control program is on the microcontroller at all 20 is bootable. For this purpose, certain hardware requirements regarding the processor of the microcontroller and the memory equipment must be met. The machine code of the control program must z. B. be executable on the processor. Otherwise, the control program will not start anyway.

In a further step s2 checks the control program, whether the processor is in the expected model variant. For z. B. queried the processor ID. Alternatively or additionally, registers and addresses are read out for which after a reset of the Processor has a fixed expected value. This can be usually a specific processor variant and possibly even their mask bar determine clearly. The information gained about the model variant of the processor become with in the control program given values compared. At a match the information with the values specified in the control program, will be the next Verification steps s3 and s4 executed. Otherwise, the execution of the Control program stopped, as shown in step s7.

In steps s3 and s4 it is checked whether the circuit board of the control unit 1 or the equipping of the specification in the control program corresponds. In order to achieve this, circuit-specific or assembly-specific information is requested. In step s3, a signal at the input terminal 30 of the microcontroller 20 detected. More precisely, that will be at the input port 30 applied signal voltage through the analog-to-digital converter 28 detected. This tension is due to the Bestü cover the PCB with a voltage divider 32 and can not be changed by software. The voltage divider comprises an electrical resistor and a zener diode. By choosing a suitable zener diode, a desired signal voltage can be predetermined in advance with high accuracy. With a sufficiently stable voltage supply through the voltage source 3 However, a simpler voltage divider circuit of two ohmic resistors can be used.

The detected signal voltage is in step s4 with a control program stored value compared. Only if the detected signal voltage matches with the default value stored in the program becomes the next step s5 or the normal mode s6 executed. Dodges the detected signal voltage from the default value, so omitted another embodiment of the Control program according to step s7.

at The detection of an analog signal voltage must have certain production tolerances the signal voltage and when detecting the signal voltage taken into account become. Therefore, for a allowed Hardware configuration a pre-specified voltage range reserved, which covers the expected tolerances. Various Hardware configurations differ in that slightly different and not overlapping Voltage ranges allowed are. With this procedure are with a microcontroller with a 10bit A / D converters easily up to a hundred different hardware configurations certainly verifiable.

For a simple Implementation it sufficient that one for the monitoring of the control unit anyway existing input (eg monitoring the internal supply voltage) is used. This supply voltage can be set by appropriate voltage divider on the supply side. However, they are usually larger tolerances to consider in capturing the supply voltage, leaving only one low resolution be achieved. Furthermore There are limitations for some microcontroller models in terms of access to the detected value or voltage range. On the other hand needed this implementation variant does not require any additional resources.

There the control program to any relevant change in a read signal voltage reacts with a mistake, all changes are recognized correctly. in principle increases the safety of the process with the number of used indicator.

As in 1 shown, z. B. a second signal voltage through another voltage divider 33 generated and at another analog input 31 of the microcontroller 20 made available. This second signal voltage is also read out and compared with a stored in the control program associated default value or a default interval. This can be done in parallel with the detection and testing of the signal voltage at the terminal 30 happen. However, the detection and testing of the second signal voltage can also take place sequentially after the test of the first signal voltage, as in step s5 in FIG 2 shown. Both in the parallel test of two analog signal voltages and in the sequential test, the result of the two tests is linked by a logical AND, so that the control program only switches to normal operation s6 if both signal voltages have been successfully verified.

In the illustrated verification on the basis of two voltages generated with various equipment, all 'common cause' errors - including those of the analog-to-digital converter 28 - be covered.

In principle, any input ports of the processor may be used to identify the hardware configuration if its signal state is at least after a microcontroller reset 20 corresponds to a predetermined value and if the reading out the outputs 12 . 13 of the microcontroller 20 unaffected. Instead of an analog signal of constant voltage, digital signal sequences can also serve as identification. These are generated by an appropriate placement of the circuit board and a digital input of the microcontroller 20 placed. An identifier can also be kept in the form of a frequency-coded signal.

In step s5 or in further subsequent verification steps, further identifiers can be recorded and checked. It can be in a non-volatile memory 24 act stored characteristics. For reading the memory 24 is an activation of the memory bus 22 necessary. By the previously performed verification with the help of the signal inputs 30 and 31 and by the usually different addressing of the memory and the I / O periphery of the microcontroller 20 is an inadvertent control of the outputs 12 and 13 very unlikely.

After successful completion of all verification steps s1 to s5, the control program executes the normal control operation. These are input signals of the input devices 5 and existing sensors 9 evaluated and corresponding control signals for motors and actuators at the control outputs 12 and 13 by means of power driver 26 and 27 generated. If one of the verification steps does not deliver the predetermined result, ie a detected ID, a detected external signal or characteristic data read from the memory does not match the default data stored in the control program, then the control program does not execute normal operation but is stopped or remains in an error state s7, in which no activation of the control outputs deviating from the initialization state 12 or 13 of the microcontroller 20 he follows.

Typically, the verification of the hardware configuration of the controller 1 in an initialization phase following a reset. However, it is also conceivable to carry out such a verification during operation repeatedly to z. B. detect changes in the hardware configuration for which the control program is not designed. This is desirable in modular control units with switchable in operation modules. This z. B. a signal generated on the module placed on a free signal input of the microcontroller and used for verification.

It should be noted that during a reset state and during an initialization phase of the microcontroller 20 whose outputs have a predefined state. This state of the outputs is retained by the microcontroller 20 even if the error state is accepted in step s7. The exits 12 and 13 of the controller are connected to the outputs of the microcontroller 20 connected so that during the reset, the initialization and the error state in step s7 a threat to the machine and operator by the actuators 6 . 7 and 8th is excluded, or that the actuators 6 . 7 and 8th to assume a safe state.

The core of the invention is the passive detection - in the sense that only one signal input is read - a signal generated by the hardware and the microcontroller supplied in the verification of a control program associated hardware configuration. A predefined identifier uniquely identifying the hardware configuration is determined on the component side and compared with an identifier specified in the control program. This has the following advantages:
The hardware configuration of the controller is detected safely and easily. The signal characterizing the hardware configuration can not be changed by the software and is only predefined by the assembly of the printed circuit board of the control unit. Apart from the external program memory necessary for the program run, no further peripherals are actively used. In particular, the controller remains externally inactive until completion of the verification in the sense that its outputs maintain a secure state.

One in the program memory located control program, on several to be distinguished control devices - z. B. Control devices, the same microcontroller, but a different PCB assembly have - in principle is executable, can uniquely identify the hardware configuration of the controller. Malfunction of the controller due to unintentional use of one for a different hardware configuration programmed control program are excluded. Using several identifiers are the results of the respective individual verification linked with a logical AND.

The The method can be multi-level, whereby test steps, the lower the risk of an external change of state of the microcontroller include -. B. Reading an internal Register or a processor ID - at an earlier time carried out be considered such testing steps, the a higher one Pose risk - eg. B. Access to I / O functions of the microcontroller. This will be a high reliability and safety achieved.

A analog signal voltage, the identifier given as the component side Serving is particularly easy to implement and just as easy too to capture. Especially when feeding achieved two signal voltages to different inputs of the microcontroller you have a high recognition security and a sufficient number distinguishable hardware configurations. In particular, the analog Identifier can be designed so that any acceptable error is reliably detected.

The The present invention equally relates to controllers for mobile Machines - in particular mobile hydraulic machines - as well as on controllers for stationary machines - in particular Machines of industrial automation.

1

control unit

3

voltage source

5

input devices

6

operating magnet

7

hydraulic valve

8th

electric motor

9

displacement sensor

10

input port

11

input port

12

output port

13

output port

14

input port

15

supply terminal

20

microcontroller

22

bus

24

memory chip

26

power driver

27

power driver

28

Analog to digital converter

30

analog input of the microcontroller

31

analog input of the microcontroller

32

voltage divider

33

voltage divider

s1

step

s2

step

s3

step

s4

step

s5

step

s6

step

s7

step

Claims (10)

Method for verifying a hardware configuration of an electronic, with a microcontroller ( 20 ) equipped control unit ( 1 ), characterized by the following steps: detecting (step s3) a signal at a predetermined input terminal ( 30 ) of the microcontroller, comparing (step s4) the detected signal with a default signal and executing (step s6, s7) a control program on the microcontroller ( 20 ) depending on the result of the comparing step (step s4). A method according to claim 1, characterized in that in addition the following steps are performed: performing a detection of a model variant of the microcontroller ( 20 ), Comparing (step s2) the recognized model variant with a model variant specification and executing (step s3, s7) the control program on the microcontroller ( 20 ) depending on the result of the comparing step (step s2) with respect to the model variant. A method according to claim 1 or claim 2, characterized in that in accordance with the detected signal with the default signal, a memory module ( 24 ) is read out (step s5) and a hardware identifier stored therein is compared with a default identifier. Method according to one of claims 1 to 3, characterized in that at least two predetermined input terminals ( 30 . 31 ) of the microcontroller ( 20 ) separate signals and with a respective input terminal ( 30 . 31 ) are compared. Method according to one of claims 1 to 4, characterized in that at the input terminal ( 30 . 31 ) the signal voltage of an analog signal can be detected. Method according to claim 5, characterized in that that a match of the analog signal with a default signal within a particular one Tolerance interval is detected. Method according to one of claims 1 to 6, characterized in that during an initialization phase of the microcontroller ( 20 ) is performed. Method according to claim 7, characterized in that the microcontroller ( 20 ) remains in a predefined safe state (s7) in the case of a verification of the hardware deviating from the stated specifications or in the case of an unsuccessful verification. Control device, in particular for a mobile hydraulic working machine, with a printed circuit board, with a microcontroller arranged on the printed circuit board ( 20 ), with additional electronic components arranged on the printed circuit board and with a memory ( 24 ), in which one on the microcontroller ( 20 ) executable program, characterized in that the program is a method according to one of claims 1 to 8 on the microcontroller ( 20 ). Control device according to claim 9, characterized in that the control device with respect to the actuation of actuators during a reset state and / or during an initialization phase of the Mirko controller ( 20 ) is in a predetermined safe state.