JP2000276354A - Communication device control circuit - Google Patents

Abstract

PROBLEM TO BE SOLVED: To investigate a cause and to restore a main program when a CPU is turned to an abnormal state at the time of downloading a main program SOLUTION: The abnormal state of a central processing unit(CPU) 1 is monitored by a system error detector 4 and an abnormal state detector 5 on the basis of an output from a watchdog circuit 2. When an abnormal state is detected at the time of downloading a main program from a host writing in a rewritable memories 9, 10 storing the main program and a spare program is inhibited. When the abnormal state of the CPU 1 is continue for fixed time, the state is regarded as a system error whose restoratic is impossible, and at the time of judging that illegal writing in the memories 9, 10 was executed before write inhibition control, the operation history of the abnormal operation is stored and redownloading or self-checking operation is executed by the spare program stored in a spare memory area in accordance with a state whether the operation history exists or not at the occurrence of a system error.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

The present invention relates to a communication device control circuit, and more particularly to a communication device control circuit in which a communication control program is stored in a writable memory.

[0002]

2. Description of the Related Art In a recent communication terminal device, a writable memory such as a flash memory is used as a main program memory so that functions such as addition or modification at the time of production lot switching or after shipping the communication terminal device to the market can be improved. At the time of version upgrade, a method is adopted which enables a new main program to be downloaded from the host via a communication line. According to this method, it is not necessary to disassemble the device and replace the internal ROM, and it is possible to easily upgrade the main program.

In a circuit configuration of a communication terminal device in which a main program can be rewritten as in this method, if a central processing unit (CPU) goes out of control at the time of downloading (hereinafter, also referred to as a "system error"), the main processing is performed. Japanese Patent Application Laid-Open No. H10-133958 describes a technique for avoiding the occurrence of a failure such as inability to download data, since illegal data is overwritten on the main program area of the memory.

FIG. 5 is a diagram showing a configuration of a communication device control circuit described in the above publication. This communication device control circuit has a CP
U41, a watchdog circuit 42 for resetting the CPU 41 when a failure occurs, a flash memory 47 as a main memory having a program area for storing a main program for operating the CPU 41, and a RAM (1) 48
And a ROM 49 and a RAM (2) 50 as spare memories having similar program areas, an address decode 46 for switching and using any of the main memory and the spare memory, and a host 46 and a CPU 41. It comprises an I / O port 45 and a system error detection circuit 43 for detecting whether or not the CPU 41 is in a runaway state.

Here, the system error detection circuit 43
The address decode 44 is controlled according to the state of the CPU 41, and the main memory is used when the CPU 41 is normal, and the spare memory is used when the CPU 41 is abnormal.
Control for switching the output destination memory of the address data from.

In the communication device control circuit shown in FIG.
The main memory 41 normally uses the main memory, and when the main program is downloaded from the host, a new main program can be downloaded to the program area of the main memories 47 and 48 to upgrade the main program. If a system error is detected during the download operation, the memory area accessed by the CPU 41 is forcibly switched to the spare program storage ROM 49 and the spare memory area of the RAM (2) 50 and stored in the spare memory area. The required CPU operation can be continued using the downloaded download function program and the required function program in the preliminary operation.

[0007] With such a configuration, the CP which cannot be restored even by the watchdog reset from the watchdog circuit can be used.
Even in the case of the runaway state of U, it is possible to switch to the spare program, download the main program again, and return from the failure state without replacing the memory element.

Further, by storing a necessary check application program in the preliminary operation in the ROM 49 or the like in the preliminary memory, it is possible to determine the cause of a system error and check the hardware for damage to the hardware. It is also possible.

[0009]

In the above-described communication device control circuit, in the operation of downloading a new main program, even when the CPU is brought into an abnormal state recoverable by the watchdog circuit, the write operation of the program storage flash memory is performed. However, there is a problem that the flash memory is unduly overwritten even if a system error does not occur.

The communication device control circuit described above, when a system error occurs in the operation of downloading a new main program, the flash memory 47, R
AM (1) 48 is overwritten with the main program as invalid data, and operates to download the main program again from the situation. For this reason, a spare memory for storing a spare program is provided separately in order to investigate the cause of system error occurrence, check the hardware for damage to the hardware, etc., and download the main program again. However, there has been a problem that the scale of the communication device control circuit is increased and the device becomes expensive.

Further, even if an abnormal condition occurs during the download of the main program, the download of the illegal data of the main program is continued until a system error is detected. There is a problem that overwriting of the unequal data that causes it cannot be prevented.

(Object of the Invention) It is an object of the present invention to provide a communication device control circuit which makes it possible to prevent a program from being overwritten in a rewritable memory for storing a main program in an abnormal state of a CPU. is there.

Another object of the present invention is to provide a communication device control circuit which enables a main program to be downloaded and an abnormal state to be determined with only a single rewritable memory for storing a main program. is there.

[0014]

SUMMARY OF THE INVENTION A communication device control circuit according to the present invention provides a communication line to a rewritable memory having a main memory area and a spare memory area for storing an active program and a spare program for operation of a central processing unit. A communication control circuit that writes a program via the watchdog circuit that generates a reset signal for resetting the central processing unit at regular intervals when the operation abnormality of the central processing unit continues; and a central processing unit based on the reset signal. An abnormal state detector that outputs an abnormal state signal corresponding to the duration of the operation abnormality described above, and a control unit that prohibits the central processing unit from writing the program based on the abnormal state signal.

A reset counter for counting the reset signal output by the watchdog circuit; and a reset circuit for resetting the reset counter when an interval between the reset signals is equal to or longer than the predetermined duration. The state detector outputs the abnormal state signal that starts with the reset signal and ends with the output of the reset circuit.

Further, a system error detector which outputs a system error signal when the count value of the reset counter reaches a predetermined value, and the control unit which starts writing of the program of the central processing unit and before the end of writing, A write operation storage unit for holding as an abnormal operation history when a write prohibition operation is performed, and when the system error signal is generated, the write operation storage unit holds the abnormal operation history. To write a new program via a communication line, or
If the writing operation storage unit does not hold the abnormal operation history when the system error signal is generated, a self-check operation is performed by a preliminary program.

(Operation) An abnormal state of the central processing unit (CPU) is monitored by an output of the watchdog circuit, and if an abnormal state is detected at the time of downloading, the abnormal state is transferred to a rewritable memory in which a main program and a spare program are stored. Writing is prohibited, and writing can be continued when the CPU recovers from a minor abnormal state. If the CPU keeps the abnormal state for a certain period of time, it is regarded as a system error. If it is determined that the illegal writing to the memory has been performed before the write prohibition control, the operation history of the abnormal operation is stored. Depending on whether or not the operation history exists when an error occurs, re-downloading or self-check operation is performed by the program in the spare memory area.

[0018]

DESCRIPTION OF THE PREFERRED EMBODIMENTS (Description of Configuration) One embodiment of a communication device control circuit according to the present invention will be described with reference to FIGS. 1, 2 and 3. FIG. FIG. 1 is a block diagram showing the overall configuration of an embodiment of the present invention. The circuit configuration of the present embodiment includes a central processing unit 1 (CPU 1), a flash memory 9 and a RAM 10 that store a main program for the CPU 1 to perform a control processing operation, and a program data from a host when the main program is upgraded. I / to take in
An O port 11, a watchdog circuit 2 for outputting a reset signal when the CPU 1 is abnormal, and a watchdog circuit 2
Counter 3 for counting the output of the watchdog reset signal (watchdog reset pulse)
A system error detector 4 for detecting a system error based on the count value of the reset counter unit 3,
An abnormal state detector 5 for detecting an abnormal state of U1, a controller 7 for inhibiting writing to the flash memory 9 in an abnormal state, and a spare for switching an access area of the CPU 1 to a spare memory area of the flash memory 9 in case of a system error. And an area access control unit 8.

The outline of the function of each part of the present embodiment is as follows. The flash memory 9 includes a main program area and a spare program area for storing a main program and a spare program for performing download control at the time of version upgrade and self-check control of the CPU 1 and peripheral devices at the time of an abnormality, in addition to required control of the CPU 1. have. That is, each program area has a download area and a self-check area.

In a normal state, the CPU 1 accesses a program area of the flash memory 9 to perform a required processing operation, and upon receiving a download instruction or the like from the host,
Download the main program, overwrite the original main program in the program area, and perform the processing operation based on the new main program. Further, the CPU 1 outputs a watchdog pulse indicating a normal processing operation to the watchdog circuit 2 at regular intervals in a normal operation state, and stops the output of the watchdog pulse in an abnormal operation. Therefore, if the interval between the watchdog pulses becomes large, it means that the CPU 1 is in the abnormal operation state only during that period. If the watchdog pulse is not output for a long period of time, it can be determined that the CPU 1 has fallen out of control.

The watchdog circuit 2 does not output a watchdog reset pulse for resetting the CPU 1 when the watchdog pulse from the CPU 1 is input at the above-mentioned fixed interval, but the interval of the watchdog pulse is longer than the above-mentioned certain interval. , A watchdog reset pulse of the CPU 1 is output. If the watchdog pulse is not output for a long time, the watchdog circuit 2 is output.
Predetermined interval determined by the internal timer (M seconds [s] described later)
, A watchdog reset pulse is periodically output, and the watchdog reset of the CPU 1 is continuously performed.

As will be described in detail later, the abnormal state detector 5 detects the watchdog reset pulse immediately after it is output, and outputs an abnormal state signal that continues for a period corresponding to the duration of the abnormal state of the CPU 1 to the controller. 7 is output. The controller 7 has a write prohibition control unit 71, and when an abnormal state signal is input from the abnormal state detector 5, the controller 7 prohibits writing to the flash memory 9 and the RAM 10 even during the download operation.

The reset counter unit 3 counts the watchdog reset pulse output from the watchdog circuit 2 when the watchdog reset pulse is continuously generated at the constant interval, and the system error detector 4 counts the pulse at this constant interval. When the count value of the reset counter unit 3 reaches a predetermined number N, the CPU 1 determines that a runaway state has occurred since the CPU 1 does not output a watchdog pulse for a long time, and a system error that occurs after the output of the abnormal state signal. Output a signal.

When the controller 7 outputs the write inhibit control signal, the spare area access controller 8 determines whether the write of the main program downloaded by the CPU 1 has been completed or before. The CPU 1 stores this as an abnormal state as an operation history, and when the system error signal is input after the operation history of the abnormal state is stored, using the programs in the spare memory area of the flash memory 9 and the RAM 10, The address bus is switched from the CPU 1 so that the download operation or the like is performed again.

Next, the configuration of a more detailed internal block diagram of the controller 7 and the spare area access controller 8 in the present embodiment, and the outline of the operation and functions thereof will be described.

FIG. 2 is a diagram showing an internal block of the controller 7, and an outline of the internal configuration and operation of the controller 7 will be described with reference to FIG. The controller 7 includes a write-inhibition control unit 71
, A flash memory control unit 72 and a RAM control unit 73
It is composed of

The flash memory control unit 72 includes a CPU 1
Is in a steady state, writing and reading to and from the main memory are controlled by a control signal output from the CPU 1 and a flash memory access notification signal output from the address decoder 6. When the CPU 1 is in the steady state, the RAM control unit 73 controls writing and reading to and from the RAM 10 by a control signal similarly output from the CPU 1 and a RAM access notification signal output from the address decoder 6.

When an abnormal state signal is output from the abnormal state detector 5, the write prohibition control section 71 determines that the CPU 1 has fallen into an abnormal state and performs control to prohibit writing to the flash memory.

FIG. 3 is an internal block diagram of the spare area access controller 8, and an outline of the internal configuration and operation of the call area access controller 8 will be described with reference to FIG. The spare area access controller 8 includes a write operation storage section 81, a spare area address generation section 82, and a selection section 83.

The write operation storage unit 81 includes a flash memory write control signal output from the controller 7 for controlling writing to the flash memory 9, a write inhibit control signal, and a write end notification for notifying normal end of writing. When the CPU 1 receives a write prohibition control signal due to an abnormality after the start of writing and before the write end notification is input, the CPU 1 determines that the write operation has ended abnormally, and determines that the write operation has failed. The state and the operation history are stored.

The spare area address generation unit 82 generates an address of a storage area for a spare download program (spare area for download) and an address of a storage area for a spare self-check program (spare area for self-check). Output. The selection unit 83 receives the addresses of the download spare area and the self-check spare area and the address from the address bus of the CPU 1 as inputs, and inputs the system error detector 4 and the write operation storage unit 8.
The address bus is switched so as to output any one of the addresses to the flash memory 9 and the RAM 10 according to the combination of the output states of Nos. 1 and 2.

The switching control of the address bus of the selecting unit 83 is performed in the case where there is a system error notification from the system error detector 4 and the writing operation storage unit 81 stores the operation history of the abnormal end of the writing operation. If the address bus is switched to the download spare area, and if there is a system error notification and the write operation storage unit 81 does not store the operation history of the abnormal end of the write operation, the address bus is switched to the self-check spare area. Switch.

As can be seen from the functional outline of each unit described above, this embodiment is functionally divided into three blocks. The first block is a processing function block for performing required processing control by the main program.
1, a flash memory 9 as a main memory storing a main program for a processing operation of the CPU 1 and a RAM 1
0 and an address decoder 6 for determining an access area when the CPU 1 accesses the main memory.

The second block is a monitoring function block for monitoring the operation state of the CPU 1, and mainly monitors a watchdog pulse output from the CPU 1, and when the pulse is not output from the CPU 1, the CPU 1 monitors the watch dog pulse. A watchdog circuit 2 for outputting a dock reset pulse;
An abnormal state detector 5 for immediately detecting an abnormality irrespective of whether or not U1 is likely to return; and a reset counter unit 3 for counting the watchdog reset pulse.
The reset counter unit 3 counts the watchdog reset pulse, and when a predetermined count value N is reached,
The system is configured by a system error detector 4 that outputs a system error signal when the PU 1 is in a runaway state in which the PU 1 cannot recover.

The third block is a spare function block for prohibiting overwriting on the rewritable memory and performing emergency processing by a spare program.
A controller 7 for prohibiting writing to the flash memory 9 when detecting an abnormal state, and detecting an abnormal state before the writing to the flash memory 9 is started and a write end notification indicating normal end is input from the CPU 1. When an abnormal state signal is input from the unit 5, the abnormal state is stored as a write operation history, and when a system error signal is output, whether or not information on the abnormal state is stored in the write operation history is determined. A spare area access controller 8 which forcibly switches the access area of the CPU 1 to a download or self-check spare area in which a spare program is stored, and controls an address bus so as to perform a self-check and re-download operation. Be composed.

(Explanation of Operation) Next, the normal processing function, the monitoring function, and the self-check function at the time of abnormality in the present embodiment will be described in more detail with reference to FIGS. 1, 2 and 3. In this embodiment, the communication line 11
2. It has a function of downloading a main program for performing required control to the flash memory 9 via the device external terminal 111 and the I / O port 11. When the CPU 1 receives the download request command from the host, one of the download execution tasks in the main program area of the flash memory 9 is started, and the main program storage area is newly rewritten by overwriting the main program. At this time, the CPU 1 has a RAM which is a main memory necessary for the download processing operation.
The access to the download processing area in 10 is also performed.

When the CPU 1 is in a steady state and performs required control processing, a task of a required function stored in the flash memory 9 is activated, and performs a processing operation using the processing memory area of the RAM 10. In this processing operation, I /
The access control to the O port 11, the flash memory 9, and the RAM 10 is performed based on the address signal of the address bus 101 of the CPU 1 and the control signal of the control line 103. It is up to the address decoder 6 and the controller 7 to determine which is the output.

Normally, the CPU 1 continues the operation of executing required processing by a program unless the main program memory area of the flash memory 9 is destroyed by erasing or rewriting. When a slight abnormal state occurs in the CPU 1, the output of the watchdog pulse is momentarily interrupted, and the watchdog circuit 2 outputs the watchdog watchdog reset pulse, so that the CPU1 is reset by the watchdog, and the abnormal state is detected. And the watchdog pulse is output again. on the other hand,
In an abnormal state in which the CPU 1 runs away, the reset operation by the watchdog circuit 2 cannot restore the CPU 1 to a normal state, so that the reset operation continues at a predetermined cycle.

Next, detailed operations of the reset counter 3, the system error detector 4, and the abnormal state detector 5 will be described. The reset counter 31 is a counter that counts a watchdog reset pulse from the watchdog circuit 2.
An M second [s] counter 32 having a function of constantly resetting its count value when 1 is normal is provided. M
The [s] counter 32 is reset by a watchdog reset pulse output from the watchdog circuit 2, constantly counts an internal high-speed clock (not shown), and every M seconds unless a watchdog reset pulse is input. To reset the count value of the reset counter 31 to “0”.

Therefore, for example, when the CPU 1 changes from a normal state to a slightly abnormal state and the watchdog circuit 2 generates one watchdog reset pulse, the reset counter 31 counts the watchdog reset pulse, and the count value “1” is set. , The M [s] counter 32 is also reset by the watchdog reset pulse, and a reset pulse is generated M seconds later to reset the reset counter 31 to the count value “0”. When the CPU 1 changes from a normal state to a runaway state, the watchdog circuit 2 generates a watchdog reset pulse continuously at intervals of M seconds.
[S] The counter 32 is reset by the watchdog reset pulse just before M seconds, and does not generate a reset pulse for resetting the reset counter 31.

In such a state, the reset counter 3
1 keeps counting the watchdog reset pulse and increases the count value. And the reset counter 31
Reaches a predetermined count value N, the system error detector 4 outputs a system error signal, for example, “1”. When the CPU 1 returns to the normal state thereafter, the watchdog circuit 2 does not output the watchdog reset pulse. Therefore, M seconds after the last output watchdog reset pulse, the M [s] counter 32 has an interval of M seconds. , A reset pulse is output, the count value of the reset counter 31 is reset, and the system error signal returns to, for example, “0”.

Next, the abnormal state detector 5 receives the outputs of the watchdog circuit 2 and the M [s] counter 32 as inputs, and when the watchdog reset pulse of the watchdog circuit 2 is input, the signal level of the abnormal state is immediately set. For example, when "1" is output and a reset pulse output from the M [s] counter 32 is input, the signal level is returned to, for example, "0", and an abnormal state of the CPU 1 is immediately determined.

Next, an explanation will be given of the abnormal termination of writing to the flash memory 9 during the download of the main program, and the operation of detecting an abnormal state of the CPU 1 and detecting a system error in this case. CPU
Assuming that 1 is a normal steady state, the M [s] counter 32
Outputs a reset pulse, the write operation storage unit 81 of the spare area access controller 8 has been reset, and the system error detector 4 has not output a system error notification signal. , The address bus of the CPU 1 is selected, and a required processing operation is performed using the main program in the main program area. In the processing operation of the CPU 1, the flash memory control unit 72 shown in FIG. 2 controls the writing and reading of the flash memory 9 based on the control signal from the CPU 1 and the flash memory access notification from the address decoder 6. Outputs control signal. Also, R
The AM control unit 73 outputs a write control signal and a read control signal for controlling writing and reading to and from the RAM 10. The write prohibition control section 71 outputs a write control signal for flash memory to the flash memory 9 and the spare area access controller 8.

Here, when the CPU 1 receives an instruction to download the main program from the host 46 or the like, the CPU 1 reads the download program from the download area of the main program area of the flash memory 9 and the RAM 10 and sends the read program via the I / O port 45. A download operation is started in which a new program inputted by overwriting the flash memory 9 and the RAM 10 is overwritten. In this download operation, in response to a command from the CPU 1, the address decoder 6 shown in FIG. 7 outputs a flash memory access notification, and the flash memory control unit 72 of the controller 7 outputs a write control signal to the write inhibit control unit 71, and This is performed by the prohibition control unit 71 outputting a flash memory write control signal to the flash memory 9 and the RAM 10.

When the download operation is started, a write control signal for flash memory is first input to the write operation storage unit 81 shown in FIG. 3, and the CPU 1 operates normally and completes writing to the flash memory 9. In this case, a write completion notification signal is input from the flash memory control unit 72 next. When an abnormality occurs in the operation of the CPU 1, a write-inhibition control signal from the write-inhibition control unit 71 shown in FIG. The write-inhibition control signal from the write-inhibition control section 71 is output when the abnormal state detector 5 detects an abnormal state of the CPU 1 by a watchdog reset pulse.

The write operation storage section 81 holds the presence or absence of occurrence of an abnormal state of the CPU 1 in the write operation of the flash memory as an operation history by utilizing the difference between the input of the write end notification signal and the input of the write inhibit control signal. That is, when the CPU 1 normally starts the download operation and then normally ends the download and outputs the control signal, the write operation storage unit 81
Since the write completion notification signal output from the second device is output, it is determined that the write operation has been normally completed, and the operation history of the abnormal operation is not stored. For example, the operation history is “0”. Further, if the CPU 1 enters an abnormal state after the CPU 1 normally starts the download operation, the write inhibit control signal is output before the write end notification signal is input. The operation history of the state is stored. For example, the operation history is “1”.

When the write inhibit control unit 71 outputs the write inhibit control signal, the write control of the flash memory by the write control signal output from the flash memory control unit 72 is immediately inhibited, so that the flash memory 9 and the RAM 10 Under the write prohibition control from the prohibition control unit 71, even if there is a write instruction from the CPU 1, writing is not performed, so that the main program area is protected.

Here, the CPU 1 is connected to the watchdog circuit 2
When the CPU 1 returns due to the watchdog reset, the output of the abnormal state detector 5 is immediately switched from the abnormal state to the output of the normal state by the reset output of the M [s] counter 32 (judging that the CPU 1 has returned to the steady state. Therefore, the write prohibition control section 71 releases the prohibition of writing to the flash memory 9. At the same time, the writing operation storage unit 81 immediately erases the storage of the writing operation history (“0”) by resetting the output of the M [s] counter 32 (determining that the CPU 1 has returned to the steady state).
Then, the operation returns to the operation of detecting the abnormal state of the write operation. That is, an abnormal state that occurs in a short period during which the CPU 1 can recover does not remain as an operation history. Also, such C
In the case of a slight abnormality of the PU1, the CPU 1 can generally maintain the write state immediately before the write prohibition control even if the write operation is temporarily stopped, and restart the write operation when the write operation returns to the normal state. In order to allow the CPU 1 to recognize the write-inhibited control state for the operation of restarting the writing by the CPU 1, it can be configured to use the write-inhibited information from the abnormal state detector 5 or the write-inhibited control unit 71.

Also, due to the runaway of the CPU 1 or the like, the above C
Before the abnormal state of PU1 is detected, the flash memory 9
It is assumed that the main program memory area of the CPU 1 is erased or destroyed by rewriting, or that the CPU 1 cannot be restored by the above-mentioned watchdog reset due to damage of hardware constituting peripheral circuits of the CPU 1 or the like. . In this situation, since a state in which the watchdog pulse is not output from the CPU 1 continues, a watchdog reset pulse which is an output signal of the watchdog circuit 2 is output every cycle M [s]. System error detector 4
Determines that a system error has occurred when the count value of the reset counter 31 exceeds a predetermined count value N (CP
If U1 is defined as a system error if it is in a runaway state for a certain time L [s], the relationship between time L and cycle M is L = M × (N−1) (N> 0). ) Is notified to the selecting unit 83 of the spare area access controller 8 shown in FIG. The selection unit 83 switches the address bus according to a combination of the output states of the system error detector 4 and the write operation storage unit 81 as described below.

Upon receiving the system error notification from the system error detector 4, if the write operation storage unit 81 stores the CPU operation abnormality as the write operation history, the selection unit 83 It is determined that the data has been overwritten, and the spare area address generation unit 8
2 selects an address of a download spare area in which a download spare program output is stored.
When the selection unit 83 selects the address of the download spare area, the CPU 1 forcibly operates according to the program of the download spare area. That is, since the download function program necessary for a system error is stored in the download spare area of the flash memory 9, the CPU 1 immediately processes the spare program of the download spare area by the watchdog reset signal after detecting the system error. Start the operation and return to the download operation. As a result, the original flash memory 9
The main program is downloaded to the spare memory in the RAM 10 by the spare program.

When the selection unit 83 receives the system error notification from the system error detector 4, if the write operation storage unit 81 does not store an abnormal state in the write operation history, the illegal data is stored in the flash memory. It is determined that there has been no overwriting, and the address of the self-check spare area output by the spare area address generation unit 82 is selected. By selecting the address of the spare area for self-check, the CPU 1 is forcibly switched to access to the spare area for self-check. In the spare area for self-check of the flash memory 9, a spare program for self-check of the CPU 1 and a spare program for a hardware check function of peripheral circuits, which are necessary at the time of a system error, are stored. Immediately after the detection of the system error, the CPU 1 starts the self-check of the CPU 1 and the processing operation of the hardware check function spare program of the peripheral circuit by the watchdog reset signal, and the CPU operation returns. Then, the program processing of the self-check function of the CPU 1 and the hardware check function of the peripheral circuit is performed using the spare memory in the RAM 10 by the spare program.

FIG. 4 is a diagram showing a list of operation patterns according to the present embodiment. Pattern A shows the operation state of each part in normal operation, the address bus selects the main memory area,
This is a case where normal operation is performed regardless of the presence or absence of the download operation. In the pattern B, at least one watchdog reset is performed during the writing, whereby the CPU 1
Is a case where the operation returns to normal. Pattern C is a case in which a system error has occurred and the self-check operation is performed without any abnormal operation history. Pattern D is a case where a system error has occurred and there is a history of abnormal operation and download is performed again. In patterns C and D, the address bus selects a spare memory area.

In the above embodiment, an example using a normal communication line has been described. As the communication line, a satellite communication line, a communication line between personal computers using a communication cable, a telephone line, or the like is used. be able to.

[0054]

According to the present invention, when the CPU is in an abnormal state, the abnormal state is immediately detected and writing to the flash memory for program storage is prohibited. When the recovery from the abnormal state is possible, the CPU can restart the write operation by the watchdog circuit and normally end the overwrite operation. In addition, this makes it possible to efficiently operate the CPU operation.

If the CPU falls into an unrecoverable state (system error) from an initial abnormal state,
This is detected by the continuous abnormal state of the CPU, and it is determined that the CPU has performed an illegal write to the flash memory before that, and the area accessed by the CPU is forcibly switched to the spare memory area storing the spare program. Because it is configured to start the backup program
It is possible to repair the main program immediately or to investigate the cause of system error by self-check.

Further, by providing a control function for accessing the spare memory area, the spare memory ROM and RAM
Need not be newly installed, and the memory circuit scale can be minimized.

[Brief description of the drawings]

FIG. 1 is a diagram showing one embodiment of a communication device control circuit of the present invention.

FIG. 2 is a diagram illustrating a configuration of a controller according to the present embodiment.

FIG. 3 is a diagram illustrating a configuration of a spare area access control unit according to the present embodiment.

FIG. 4 is a diagram showing an operation pattern according to the present embodiment.

FIG. 5 is a diagram showing a conventional communication device control circuit.

[Explanation of symbols]

 1, 41 CPU 2, 42 Watchdog circuit 3 Reset counter unit 4 System error detector 5 Abnormal state detector 6, 44 Address decode 7 Controller 8 Reserved area access controller 9, 47 Flash memory 10, 48, 50 RAM 11 , 45 I / O port 31 Reset counter 32 M [s] counter 43 System error detection circuit 71 Write inhibit control unit 72 Flash memory control unit 73 RAM control unit 81 Write operation storage unit 82 Reserved area address generation unit 83 Selection unit

Claims (5)

[Claims] 1. A communication control circuit for writing a program via a communication line to a rewritable memory having a main memory area and a spare memory area for storing a working program and a spare program for operation of a central processing unit, the communication control circuit comprising: A watchdog circuit that generates a reset signal that resets the central processing unit at regular intervals when the operation abnormality of the processing device continues, and an abnormal state signal corresponding to the duration of the operation abnormality of the central processing device based on the reset signal. A communication device control circuit, comprising: an abnormal state detector that outputs a signal; and a control unit that prohibits the central processing unit from writing the program based on the abnormal state signal. A reset counter for counting the reset signal output from the watchdog circuit; and a reset circuit for resetting the reset counter when an interval between the reset signals is equal to or longer than the predetermined duration. 2. The communication device control circuit according to claim 1, wherein the status detector outputs the abnormal status signal that starts with the reset signal and ends with the output of the reset circuit. 3. A system error detector that outputs a system error signal when a count value of the reset counter reaches a predetermined value, and the control unit is configured to start writing of the program of the central processing unit and before the end of writing. A write operation storage unit for holding as an abnormal operation history when a write prohibition operation is performed, and when the system error signal is generated, the write operation storage unit holds the abnormal operation history. 3. The communication device control circuit according to claim 2, wherein a program is newly written via a communication line. 4. The communication device control according to claim 3, wherein when the system error signal is generated, if the write operation storage unit does not hold an abnormal operation history, a self-check operation is performed by a spare program. circuit. 5. The rewritable memory includes a flash memory.
The communication device control circuit according to any one of the preceding claims.