JP2008172896A - Controller of vehicular motor - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a controller of a vehicular motor capable of preventing the runaway of software by monitoring a memory with a cost-effective structure, a control method of the controller, and a program for a computer to execute. <P>SOLUTION: This controller includes a CPU 101, which controls an auxiliary steering motor 20 by executing a control program, and a RAM 103, which is used as a work area when the CPU 101 executes the control program having an access permission area, in which data writing is permitted, and an access inhibition area, in which the data writing is inhibited. The CPU 101 performs a memory-monitoring program 202 to monitor the data writing to the access inhibition area of the RAM 103. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a control device for a motor for a vehicle, a method for controlling a motor for a vehicle, and a program to be executed by a computer. More specifically, the software monitors the writing of data to an access-prohibited area of a memory. The present invention relates to a vehicular electric motor control device, a vehicular electric motor control method, and a program executed by a computer.

  Various electric motors are used in the vehicle. For example, in an electric power steering apparatus mounted on a vehicle, a steering assist motor (assist motor) that gives steering assist torque (assist torque) is used. The electric power steering apparatus applies a driving force of a steering assist motor to a steering shaft or a rack shaft by a transmission mechanism such as a gear or a belt via a speed reducer. Such a control device for the electric power steering apparatus performs feedback control of the motor current in order to accurately generate the steering assist torque. In feedback control, the motor applied voltage is adjusted so that the difference between the current command value and the detected motor current value is small. Generally, the adjustment of the motor applied voltage is a duty ratio of PWM (pulse width modulation) control. It is done by adjusting.

  The control device for the electric power steering includes a CPU (Central Processing Unit), a ROM that stores software for controlling the steering assist motor, and a RAM that is used as a work area when the CPU executes the software. At the time of software design, design / debug / verification is performed in a white box to prevent RAM memory protection violation, stack overflow, etc., assuming every operation, but an unexpected software error occurs In some cases, RAM overflow may occur. In addition, since software modules are becoming more black boxes recently, there may be cases where design, debugging, and verification cannot be performed sufficiently.

  For example, Patent Documents 1 and 2 propose techniques for preventing unauthorized access to a RAM in advance using hardware. The data protection device of Patent Document 1 generates a first selection signal in response to a processor that addresses an address space, a first memory, a bus that interconnects these processors and the memory, and a first range of addresses. A first address decoder, wherein the first memory is selected by the first selection signal, and has at least one address that is not the same as the first address range and is common to the first range. A second address decoder for generating a second selection signal in response to an address in a second address range, and a protection circuit operatively connected to the processor for receiving a request signal therefrom, The protection circuit notifies the occurrence of the second selection signal when there is no reception of the request signal.

  In addition, the memory control device of Patent Document 2 stores a single threshold address for identifying a write-restricted partition based on the magnitude relationship of the value of the address signal ADDR in the threshold register, and holds a part of the address signal and the threshold register. An address comparison unit for detecting the magnitude relationship of values to be performed, a device selection signal CS_0, and a mask control unit for masking a write control signal for the memory device based on the comparison result of the address comparison unit, and the value of the address signal ADDR and the threshold address When the address comparison unit detects that there is a predetermined magnitude relationship for which write restriction should be performed, write access to the memory device is invalidated.

JP-A-7-134678 Japanese Patent Laying-Open No. 2005-135036

  However, in Patent Documents 1 and 2 described above, since unauthorized access to the RAM is prevented using hardware, design changes such as changes in the memory area to be monitored and support for multiple memory areas are provided. This increases the number of steps involved in designing and manufacturing man-hours, which increases the cost. Therefore, there is a problem that a low cost configuration cannot be achieved.

  The present invention has been made in view of the above problems, and monitors a memory with a low-cost configuration to prevent a software runaway from occurring, and a control device for a vehicle motor. It is an object to provide a method and a program to be executed by a computer.

  In order to solve the above-described problems and achieve the object of the present invention, the present invention provides a control apparatus for a vehicle motor that controls a vehicle motor mounted on a vehicle, by executing a control program to A control means for controlling an electric motor; an access permission area that is used as a work area when the control means executes the control program; And the control means has memory monitoring means for monitoring the writing of data to the access prohibited area of the memory, and monitors unauthorized access of the control program. This makes it possible to detect whether software has been written to the memory access-prohibited area and detect software errors, and monitor the memory with a low-cost configuration to prevent software runaway. It becomes possible to do.

  Further, according to a preferred aspect of the present invention, the memory monitoring unit writes predetermined detection data in the access prohibited area in advance before the control program is executed, and during execution of the control program, or After the control program is executed, it is preferable to detect data writing in the access prohibited area by reading the data in the access prohibited area and comparing it with the predetermined detection data. As a result, it is possible to detect whether or not data has been written in the access prohibited area of the memory by a simple method.

  According to a preferred aspect of the present invention, it is desirable that the access permission area includes a stack area and a data area, and the access prohibition area is an area adjacent to the stack area and the data area. Thereby, it is possible to monitor the overflow of the stack area and the data area.

  Further, according to a preferred aspect of the present invention, it is desirable that the control means stops the vehicle electric motor when detecting the writing of data to the access prohibited area of the memory. This makes it possible to stop the vehicle motor before the software runs away.

  According to a preferred aspect of the present invention, when the control means detects writing of data into the access prohibited area of the memory, the control means stops execution of the control program and compares it with the control program. It is desirable to continue the control of the vehicle motor by executing a sub-control program with a low load. As a result, it is possible to prevent the software from running away and to continue the operation of the vehicle motor.

  Further, according to a preferred aspect of the present invention, further comprising a non-volatile memory, the control means detects the memory information necessary for the analysis when the writing of data to the access prohibited area of the memory is detected. It is desirable to store in non-volatile memory. As a result, it is possible to analyze the cause (data cause) of the data being written in the access prohibited area of the memory.

  According to a preferred aspect of the present invention, it is preferable that the control program includes a plurality of tasks having different priorities, and the memory is set with a plurality of access prohibited areas. Thereby, it becomes possible to detect the software error of each task.

  Further, according to a preferred aspect of the present invention, it is desirable that the memory monitoring unit performs monitoring of writing to the access prohibited area of the memory at a cycle shorter than a time constant of rising of the vehicle motor. As a result, it is possible to take measures such as stopping the motor without fail before the software runs away.

  According to a preferred aspect of the present invention, the vehicle electric motor is a steering assist motor of an electric power steering device that applies a steering assist force to a steering system of the vehicle, and the control means executes the control program. And calculating a current command value of the steering assist motor based on at least a steering torque generated in the steering system, and based on the detected current value of the steering assist motor and the current command value detected by a current detection circuit. Preferably, the steering assist motor is driven and controlled so that a current detection value of the steering assist motor follows the current command value. As a result, in the electric power steering apparatus, it is possible to monitor the memory with a low-cost configuration and prevent software runaway.

  According to a preferred aspect of the present invention, the vehicle electric motor is a steering assist motor of an electric power steering device that applies a steering assist force to a vehicle steering system, and the control program includes a motor current control system module, It is preferable that the motor current auxiliary control system module, the torque control system module, and the compensation control system module are included, and the sub-control program includes the motor current control system module, the torque control system module, and the compensation control system module. . Thus, even when a software error occurs in the first control program, it is possible to continue the assist of the steering assist motor by executing the sub-control program with a light load and no motor current assist control module.

  According to a preferred aspect of the present invention, the vehicle electric motor is a steering assist motor of an electric power steering device that applies a steering assist force to a steering system of the vehicle, and the control program controls the steering assist motor. It is desirable to include a first task for communication and a second task for communication with the outside. Thereby, the software error of each task can be detected in the control device of the electric power steering device.

  In order to solve the above-described problems and achieve the object of the present invention, the present invention provides a vehicle motor control method for controlling a vehicle motor mounted on a vehicle. A control step of controlling the vehicle electric motor by executing a control program using a memory having an access-permitted area and an access-prohibited area where data writing is prohibited as a work area, and the control means A monitoring step of executing a memory monitoring program to monitor writing of data to the access prohibited area and monitoring unauthorized access of the control program.

  In order to solve the above-described problems and achieve the object of the present invention, the present invention provides a computer program that stores data in a program mounted on a vehicle motor control device that controls a vehicle motor mounted on a vehicle. A control process for controlling the motor for a vehicle using a memory having an access-permitted area where data writing is permitted and an access-prohibited area where data writing is prohibited as a work area, and access to the access-prohibited area And monitoring the data writing to monitor unauthorized access of software.

  According to the present invention, in a control apparatus for a vehicle motor that controls a vehicle motor mounted on a vehicle, a control unit that executes a control program to control the vehicle motor, and the control unit executes the control program. A memory having an access-permitted area where data writing is permitted and an access-prohibited area where data writing is prohibited; Since it has memory monitoring means to monitor the writing of data to the access prohibited area and monitors the unauthorized access of the control program, it detects by software whether data has been written to the access prohibited area of the memory. Can detect software errors, monitor memory with low-cost configuration, and software Providing a motor control apparatus for a vehicle capable of preventing a runaway in advance an effect that it is possible.

  Hereinafter, the present invention will be described in detail with reference to the drawings. Note that the present invention is not limited to the embodiments. In addition, constituent elements in the following embodiments include those that can be easily assumed by those skilled in the art or those that are substantially the same. In the following embodiments, a control device for controlling a steering assist motor of an electric power steering device that applies a steering assist force to a steering system of the vehicle will be described as an example of a vehicle electric motor mounted on the vehicle.

  FIG. 1 is a diagram illustrating a general configuration of an electric power steering apparatus. In FIG. 1, a column shaft 2 of a steering handle 1 is connected to a tie rod 6 of a steering wheel via a reduction gear 3, universal joints 4a and 4b, and a pinion rack mechanism 5. The column shaft 2 is provided with a torque sensor 10 that detects the steering torque T of the steering handle 1, and a steering assist motor 20 that assists the steering force of the steering handle 1 is connected to the column shaft via the reduction gear 3. 2 is connected. Here, the steering assist motor 20 is, for example, a brushless motor or a brush motor. The control unit 30 that controls the electric power steering device is supplied with electric power from the battery 14 via the built-in power supply relay 13 and is supplied with an ignition signal from the ignition key 11. Further, the control unit 30 calculates a current command value for the steering assist motor 20 based on the steering torque T detected by the torque sensor 10 and the vehicle speed V detected by the vehicle speed sensor 12, and the current of the steering assist motor 20 is calculated. Based on the detected value and the current command value, the steering assist motor 20 is drive-controlled so that the current detected value of the steering assist motor 20 follows the current command value.

  FIG. 2 is a diagram showing a hardware configuration of the control unit 30 of FIG. FIG. 3 is a diagram showing a memory configuration example of the ROM and RAM of the main MCU of FIG. As shown in FIG. 2, the control unit 30 includes a main MCU (micro control unit) 100, a sub MCU (micro control unit) 110, a WDT (watch dock timer) 130, an FET pre-driver circuit 140, and a motor drive. A circuit (inverter) 150, a current detection circuit 160, a position detection circuit 170, and the like are provided.

  The main MCU 100 includes a CPU 101 (control means), a ROM 102, a RAM (memory) 103, an EEPROM 104, an A / D converter 105, an interface 106, a bus 107, and the like. The CPU 101 executes various programs stored in the ROM 102 and controls the electric power steering apparatus.

  The ROM 102 stores various programs executed by the CPU 101. Specifically, as shown in FIG. 3, the ROM 102 stores data in a control program 201 for executing a motor control process (steering assist process) for controlling the steering assist motor 20 and an access prohibited area of the RAM 103. A memory monitoring program 202 for executing a memory monitoring process for monitoring whether or not there is, a safe operation transition program 203 for executing a safe operation transition process for shifting to a safe operation, and the like are stored. The RAM 103 is used as a work area when the CPU 101 executes a program, and stores data necessary for processing, processing results, return addresses in subroutines and interrupt processing, etc., and writing of data is permitted. And an access prohibited area where data writing is prohibited. In the above configuration, when the CPU 101 executes the memory monitoring program 202, it functions as a memory monitoring unit.

  The EEPROM 104 is a memory that can retain the stored contents even after the power is shut off. As will be described later, when data writing to the access prohibited area of the RAM 103 is detected, memory information or the like necessary for analysis is written. . The A / D converter 105 inputs the steering torque T from the torque sensor 10, the current detection value Im of the steering assist motor 20 from the current detection circuit 160, the motor rotation angle signal θ from the position detection circuit 170, and the like. Convert to digital signal. The interface 106 is for receiving the vehicle speed V (vehicle speed pulse) from the vehicle speed sensor 12 by CAN communication.

  The FET pre-driver circuit 140 converts the PWM control signal for each phase of UVW input from the main MCU 100 into positive and negative energization signals (Up, Un, Vp, Vn, Wp, Wn) for each phase, and the motor drive circuit 150. Output to.

  The motor drive circuit 150 includes a bridge circuit composed of a pair of FET switching elements for three phases for the U phase, the V phase, and the W phase, and a reflux diode is connected in parallel to each FET switching element. A DC voltage is applied to the bridge circuit from the battery 14 via the power relay 13. An energization signal is input from the FET pre-driver circuit 140 to the control terminal (gate terminal) of each FET switching element. The DC voltage applied to the motor drive circuit 150 is converted into a three-phase AC voltage by the switching operation of the FET switching element in the motor drive circuit 150, thereby driving the steering assist motor 20. Shunt resistors R1 and R2 are connected to this bridge circuit. A current detection circuit 160 is connected to the shunt resistors R1 and R2, and the current detection value Im of the steering assist motor 20 is thereby detected.

  The position detection circuit 170 supplies an excitation current to the position sensor 21 and outputs an output signal from the position sensor 21 to the A / D converter 105 as a motor rotation angle signal θ.

  The WDT 130 is for detecting a hardware error of the CPU 101 of the main MCU 100. There are various types of hardware errors in the CPU 101, such as runaway due to electromagnetic noise and garbled register data. Each of the CPU 101 and the WDT 130 includes a timer counter. The WDT 130 generates a reset signal when the clear pulse output from the CPU 101 stops for a certain time (for example, 40 msec) or more, resets the CPU 101, and outputs a motor stop signal to the FET pre-driver circuit 140. The operation of the FET pre-driver circuit 140 is stopped, and the steering assist motor 20 is stopped.

  The sub MCU 110 includes a CPU 111, a ROM 112, a RAM 113, a D / A converter 115, an A / D converter 116, and the like. The sub MCU 110 does not execute arithmetic processing for motor control, but monitors the operation (hardware error) with the main MCU 100 through serial communication.

  For example, the abnormality of the A / D converter 105 of the main MCU 100 is detected by the following method. The A / D converter 105 of the main MCU 100 has 8 ports AD1 to AD8. For example, when an abnormality is diagnosed, AD8 is used, and the seven ports AD1 to AD7 are not used for abnormality diagnosis, and the ports AD1 to AD8 are used. AD7 is used for original motor control processing.

  The A / D converter 116 of the sub MCU 110 has 8 ports AD1 to AD8. For example, AD8 is used and 7 ports AD1 to AD7 are not used at the time of abnormality diagnosis. First, the sub MCU 110 converts a predetermined digital value into an analog value by the D / A converter 115 and outputs the analog value. The output analog value is input to the port AD8 of the A / D converter 105 of the main MCU 100, converted into a digital value again, and transmitted as a return value 1 to the sub MCU 110 by serial communication. Further, the output analog value is input to the port AD8 of the A / D converter 116 of the sub MCU 110, converted again to a digital value, and returned as a return value 2. The sub MCU 110 calculates an error ΔX1 between the received return value 1 and a predetermined digital value. If the error ΔX1 is less than or equal to the allowable value ΔXK, the A / D converter 105 and the D / A converter 115 is determined to be normal. On the other hand, when the error ΔX1 is larger than the allowable value ΔXK, the sub MCU 110 calculates an error ΔX2 between the return value 2 and the predetermined digital value, and when the error ΔX2 is equal to or smaller than the allowable value ΔXK, D It is determined that the / A converter 115 is normal and the A / D converter 105 is abnormal. Since the A / D converter 105 is an important element for controlling the steering assist motor 20, the steering assist motor 20 is stopped in this case.

  In the control unit 30 configured as described above, the sub MCU 110 and the WDT 130 monitor the hardware error of the main MCU 100. Further, the CPU 101 of the main MCU 100 monitors the software error by executing the memory monitoring program 202. As described above, the hardware error and the software error can be separated by detecting the hardware error and the software error separately. Although not shown, a detection circuit for detecting a hardware error such as garbled RAM (01 inversion) of the RAM 103 may be provided inside or outside the main MCU 100.

  Next, with reference to FIGS. 3 to 7, a method in which the CPU 101 executes the memory monitoring program 202 to detect a software error will be specifically described. In this embodiment, the CPU 101 executes the memory monitoring program 202 to monitor the writing of data to the access prohibited area of the RAM 103 and monitor the unauthorized access of the control program 201, thereby detecting the software error of the control program 201. is doing. In the following description, processing performed by the CPU 101 by executing a program will be described with the program as an operation subject.

  In FIG. 3, the RAM 103 has a data area (memory area) 301 and a stack area 302 that are used when the control program 201 is executed. The data area 301 and the stack area 302 are referred to as an access permission area.

  As described above, at the time of software design, design / debugging / verification is performed in a white box so as not to cause a memory protection violation of RAM 103, stack overflow, etc. An error may occur. In addition, since software modules are becoming more black boxes recently, there may be cases where design, debugging, and verification cannot be performed sufficiently.

  The data area 301 is used in the direction of the arrow, and data is written from the upper address side to the lower address side. An access prohibition area 401 is set adjacently below the data area 301. When a software error occurs and the data area 301 overflows, data is written to the access prohibited area 401.

  The stack area 302 is used in the direction of the arrow, and data is written from the upper address side to the lower address side. An access prohibition area 402 is set close to the lower side of the stack area 302. When a software error occurs and the stack area 302 overflows, data is written to the access prohibited area 402.

  The memory monitoring program 202 writes initial value = 0x01010101 in the access prohibited area 401 and initial value = 0x0202022 in the access prohibited area 402 as detection data before the control program 201 after power-on is executed. The memory monitoring program 202 executes a memory monitoring process during execution of the control program 201 or after execution of the control program 201, reads the data in the access prohibited areas 401 and 402, and compares them with the detection data (0x01010101, 0x02020202). Thus, it is detected whether or not data is written in the access prohibited areas 401 and 402.

  FIG. 4 is a diagram for explaining execution timings of the control program 201 and the memory monitoring program 202. In FIG. 4, T represents a motor current control cycle (for example, 125 μsec). The memory monitoring process by the memory monitoring program 202 is executed during the idle time of the CPU 101. In the example shown in the figure, the memory monitoring process is executed at the idle time after the motor control process is executed by the control program 201 in a predetermined cycle. In addition, the execution period of the memory monitoring process is smaller than the time constant of the startup of the steering assist motor 20.

  FIG. 5 is a flowchart for explaining the memory monitoring process and the safe operation transition process. In FIG. 5, when the memory monitoring process by the memory monitoring program 202 is executed (step S1), the data in the access prohibited areas 401 and 402 of the RAM 103 is read (step S2), and whether the read data matches the detection data. It is determined whether or not (step S3). If the read data matches the detection data (“Yes” in step S3), it is determined that the software is operating normally, and motor control processing is executed (step S4). On the other hand, if the read data and the detection data do not match (“No” in step S3), it is determined that the access is an unauthorized access by the control program 201 and a software error is detected, and the safe operation transition program 203 is executed (step S3). S5). The safe operation transition program 203 stores memory information (for example, data written in the registers of the CPU 101 and the access prohibition areas 401 and 402 of the RAM 103) necessary for the analysis in the EEPROM 104 (step S6), and then the steering assist motor. 20 is stopped (step S7). As described above, when it is detected that data is written in the access prohibited area of the RAM 103, the steering assist motor 20 is immediately stopped. Therefore, before the control program 201 runs away, the steering assist motor 20 is turned off. It can be stopped.

  Here, the memory information necessary for the analysis is stored in the EEPROM 104 and then the steering assist motor 20 is stopped. However, after the steering assist motor 20 is stopped, the memory information necessary for the analysis is stored in the EEPROM 104. It may be stored. Further, the memory information necessary for the analysis is not limited to the data written in the registers of the CPU 101 and the access prohibited areas 401 and 402 of the RAM 103, but the cause of the data being written in the access prohibited areas of the RAM 103 (software error Any data may be used as long as it is necessary for analyzing the cause).

  6 and 7 are diagrams illustrating another configuration example of the RAM 103. FIG. The area setting of the RAM 103 is not limited to the example shown in FIG. 3, and may be configured as shown in FIGS. 6 and 7, for example. In FIG. 6, the data area 311 and the stack area 312 are set adjacently, the access prohibited area 411 is set above the data area 311, and the access prohibited area 412 is set adjacently below the stack area 312. ing. The data area 311 is used in the direction of the arrow, and data is written from the lower address side to the upper address side. The stack area 312 is used in the direction of the arrow, and data is written from the upper address side to the lower address side.

  In FIG. 7, an access prohibition area 421 is set between the data area 321 and the stack area 322. The data area 321 is used in the direction of the arrow, and data is written from the upper address side to the lower address side. The stack area 322 is used in the direction of the arrow, and data is written from the lower address side to the upper address side. Thus, by setting the access prohibited area 421, it is possible to detect an overflow of the data area 321 and the stack area 322 in one access prohibited area, and to reduce the memory capacity of the RAM 103.

  FIG. 8 is a diagram illustrating functions realized by the CPU 101 executing the control program 201 (functional configuration of the control program 201).

  As shown in FIG. 8, the control program 201 performs a torque control system module (for example, the operation cycle is 1 msec) 500 that calculates a steering assist torque command value based on the steering torque T and the vehicle speed V, and performs various torque compensations. Compensation control system module (for example, operation cycle is 2 msec) 510, motor current control system module 520 for performing FB (feedback) control of motor current (for example, operation cycle is 125 μsec), motor current FF of steering assist motor 20 A motor current auxiliary control system module 530 (for example, the operation cycle is 125 μsec) that performs (feed forward) control is provided. Next, an outline of the operation will be described.

  First, the steering torque T detected by the torque sensor 10 and the vehicle speed V detected by the vehicle speed sensor 12 are input to the assist map 501, and a steering assist command value is calculated. Furthermore, a compensation value calculated by the compensation control system module 510, for example, a compensation value such as convergence / inertia / SAT calculated by the convergence calculation unit 511, inertia calculation unit 512, and SAT calculation unit 513 is added to the addition unit. In 502, the torque command value Tref is determined by adding to the steering assist command value. The torque command value Tref is phase-compensated by the phase compensator 503 and then input to the current command value calculator 540. Based on the torque command value Tref, the current command value calculation unit 540 determines the current command value Iref. In the brushless motor, in addition to the torque command value Tref, the rotor angle of the rotor is also input to the current command value calculation unit 540 to determine the current command value Iref.

  On the other hand, the motor current of the steering assist motor 20 is detected by the current detection circuit 160 as the current detection value Im, and is input to the subtraction unit 521 together with the current command value Iref. The subtraction unit 521 calculates the deviation ΔI = Iref−Im and inputs it to the PI (proportional integration) control unit 522. A PI (proportional integration) control unit 522 outputs a voltage control value Vref as a proportional integration output of the deviation ΔI. The current command value Iref is input to the auxiliary value calculation unit 531. The auxiliary value calculated by the auxiliary value calculation unit 531, for example, the auxiliary value calculated by the Dead Time calculation unit 532, the EMF (back electromotive force) calculation unit 533, and the field weakening control calculation unit 534 is voltage-controlled by the addition unit 535. It is added to the value Vref. The output of the adder 535 is input to the PWM controller 550 and subjected to PWM processing, and the PWM control signal for each UVW phase is output to the FET predriver circuit 140, via the FET predriver circuit 140 and the motor drive circuit 150. The steering assist motor 20 is driven.

  According to the first embodiment, the CPU 101 that executes the control program 201 to control the steering assist motor 20, and is used as a work area when the CPU 101 executes the control program 201, and includes an access permission area and an access prohibition area. Since the CPU 101 executes the memory monitoring program 202 and monitors the writing of data to the access prohibited area of the RAM 103 to monitor the unauthorized access of the control program 201, the CPU 103 accesses the RAM 103. It is possible to detect whether or not data has been written to the prohibited area by software, and to detect a software error. By monitoring the RAM 103 with a low-cost configuration, it is possible to prevent software runaway. .

  Further, according to the first embodiment, the CPU 101 executes the memory monitoring program 202, reads the data in the access prohibited area of the RAM 103, and compares it with the detection data to determine whether there is a write in the access prohibited area. Therefore, it is possible to detect whether data has been written in the access prohibited area of the RAM 103 by a simple method.

  Further, according to the first embodiment, the access permitted area includes the stack area and the data area, and the access prohibited area is set to an area adjacent to the stack area and the data area. Can be monitored.

  Further, according to the first embodiment, when the CPU 101 detects writing of data in the access prohibited area of the RAM 103, the CPU 101 executes the safe operation transition program 203 to stop the steering assist motor 20. The steering assist motor 20 can be stopped before the software runs away.

  Further, according to the first embodiment, when the CPU 101 detects writing of data in the access prohibited area of the RAM 103, the CPU 101 executes the safe operation transition program 203 and stores memory information necessary for analysis in the EEPROM 104. As a result, it is possible to analyze the cause (data cause of software error) of the data being written in the access prohibited area of the RAM 103.

  Further, according to the first embodiment, the CPU 101 executes the monitoring of the writing to the access prohibited area of the RAM 103 by the memory monitoring program 202 at a cycle shorter than the time constant of the startup of the steering assist motor 20. It is possible to take measures such as reliably stopping the steering assist motor 20 before the software runs away.

  In addition, according to the first embodiment, since the hardware error of the CPU 101 and the RAM 103 is detected by the sub MPU 110 and the WDT 130, it is possible to detect the software error without any hardware error.

  In the first embodiment, when the memory monitoring program 202 detects writing to the access prohibited area of the RAM 103, the safe operation transition program 203 is executed to stop the steering assist motor 20. In contrast, in the second embodiment, when the memory monitoring program 202 detects writing in the access prohibited area of the RAM 103, the sub-control program 204 having a smaller load than the control program 201 is executed to This is a configuration for continuing control.

  FIG. 9 is a diagram illustrating a configuration example of a ROM and a RAM according to the second embodiment. 9, parts having the same functions as those in FIG. 3 are denoted by the same reference numerals, description thereof is omitted, and only different points will be described. In the figure, the ROM 102 further stores a sub control program 204 having a smaller load than the control program 201.

  FIG. 10 is a flowchart for explaining the memory monitoring process and the safe operation transition process according to the second embodiment. In FIG. 10, the same step numbers are assigned to the steps for performing the same processing as in FIG.

  In FIG. 10, first, when the memory monitoring process by the memory monitoring program 202 is executed (step S1), the data in the access prohibited areas 401 and 402 of the RAM 103 are read (step S2), and the read data matches the detection data. It is determined whether or not to perform (step S3). If the read data matches the detection data (“Yes” in step S3), it is determined that the software is operating normally, and motor control processing is executed (step S4). On the other hand, if the read data does not match the detection data (“No” in step S3), it is determined that the access is an unauthorized access by the control program 201 and a software error has occurred, and the safe operation transition program 203 is executed (step S5). ), Memory information necessary for analysis (for example, data written in the registers of the CPU 101 and the access prohibited areas 401 and 402 of the RAM 103) is stored in the EEPROM 104 (step S6). Thereafter, the sub control program 204 is executed to continue the control of the steering assist motor 20 (step S10).

  FIG. 11 is a diagram illustrating a function (functional configuration of the sub control program 204) realized by the CPU 101 executing the sub control program 204. In FIG. 11, parts having the same functions as those in FIG. A sub control program 204 shown in FIG. 11 is obtained by reducing the load by removing the motor current auxiliary control system module 530 from the control program 201 shown in FIG.

  According to the second embodiment, when the memory monitoring process by the memory monitoring program 202 detects the writing of data to the access prohibited areas 401 and 402 of the RAM 103, the CPU 101 stops the execution of the control program 201, Since the sub-control program 204 having a smaller load than the control program 201 is executed and the control of the steering assist motor 20 is continued, the software runaway can be prevented and the steering assist motor 20 is controlled. Control can be continued.

  In the third embodiment, a multitask configuration is made using a real-time OS that is a multitasking OS. Recently, it has become necessary to process a large number of tasks (processes, jobs) as the control of motors for vehicles has become more complex, and it has become necessary to set detailed priorities for these numerous tasks. It is coming. Thus, in the third embodiment, a case where a multitask configuration is configured using a real-time OS that is a multitask OS will be described.

  FIG. 12 is a diagram illustrating a configuration example of a ROM and a RAM according to the third embodiment. 12, parts having the same functions as those in FIG. 3 are denoted by the same reference numerals, description thereof is omitted, and only different points will be described. In FIG. 1, a ROM 102 stores a real-time OS 205 and tasks 1 to 3 for performing task time management and the like. The real-time OS 205 performs temporal management of the execution of tasks 1 to 3 in accordance with the priorities of tasks 1 to 3.

  Here, the real-time OS 205 and tasks 1 to 3 are referred to as a control program 210. Tasks 1 to 3 have different priorities, task 1 is set to “high” priority, task 2 is set to “medium”, and task 3 is set to “low”. For example, task 1 is a task for executing a motor control process for controlling the steering assist motor 20, task 2 is a task for communication such as CAN communication with the outside, and task 3 is fail-safe. This is a task for performing (F / S) processing. Tasks 1 to 3 shown here are examples, and the present invention is not limited to this, and there are other tasks in the electric power steering apparatus.

  Further, in the RAM 103, a task 1 area 331 (data area 331a and stack area 331b) for executing task 1, a task 2 area 332 (data area 332a and stack area 332b) for executing task 2, A task 3 area 333 (data area 333a and stack area 333b) for executing task 3 is secured by initial setting. Here, the access permission area is set for each task, but one access permission area may be set for a plurality of tasks.

  Each data area 331a, 332a, 333a and each stack area 331b, 332b, 333b are used in the direction of the arrow. Access prohibition areas 431, 432, 433, and 434 are set between the task areas 331, 332, and 333, respectively. The setting example of the access permission area and the access prohibition area is not limited to the example shown in FIG. 12, and the configuration shown in FIGS. 6 and 7 may be used for each task.

  The memory monitoring program 202 sets, as detection data, an initial value = 0x01010101 in the access prohibited area 431, an initial value = 0x0202022 in the access prohibited area 432, and an access prohibited area as detection data before the control program 210 after power is turned on. The initial value = 0x03030303 is written in 433, and the initial value = 0x040040404 is written in the access prohibited area 434, respectively. The memory monitoring program 202 executes a memory monitoring process during execution of the control program 210 or after execution of the control program 210, reads data in the access prohibited areas 431, 432, 433, and 434, and detects data (0x01010101, 0x02020202). , 0x03030303, 0x040040404), it is detected whether or not there is a write in the access prohibited areas 431, 432, 433, 434.

  FIG. 13 is a diagram illustrating an example of a timing chart of tasks 1 to 3 and memory monitoring processing. In the figure, T1 indicates a normal time, T2 indicates a disturbance occurrence, and T indicates a motor current control cycle. The memory monitoring process is executed while tasks 1 to 3 are not executed, and the cycle thereof is shorter than the time constant of the startup of the steering assist motor 20.

  During the period of T1, there is no disturbance factor, and normal processing is performed without being affected by other task processing. The period of T2 shows a case where a disturbance element has occurred, and another task processing interrupt occurs, and the use area of the RAM 103 tends to increase. For example, when a disturbance element occurs at time t1, and processing of task 2 having a priority “medium” is requested during processing of task 3, queue processing occurs in task 3, and processing is temporarily performed. The interrupted information is stored in the stack area 333 b of the task 3 area 333 of the RAM 103. Next, at time t2, during the processing of task 2, when the processing of task 1 having a high processing priority is requested, a queue is generated in task 2, and the processing is temporarily interrupted. The stored information is stored in the stack area 332 b of the task 2 area 332 of the RAM 103. Thereafter, the suspended task 2 and task 3 processes are executed. In this case, compared with the case where there is no disturbance element, the temporary memory usage increases, and the possibility of overflow of the RAM 103 increases.

  The execution period of the memory monitoring process is not limited to the case shown in FIG. 13. For example, it may be executed after the execution of task 1, and is smaller than the time constant of the startup of the steering assist motor 20. Any period may be used as long as it is a period.

  FIG. 14 is a flowchart for explaining the memory monitoring process and the safe operation transition process according to the third embodiment. In FIG. 14, steps that perform the same processing as in FIG. 5 are given the same step numbers.

  In FIG. 14, first, when a memory monitoring process by the memory monitoring program 202 is executed (step S1), data in the access prohibited areas 431, 432, 433, and 434 of the RAM 103 is read (step S2), and the read data and detection are detected. It is determined whether the business data matches (step S3). If the read data matches the detection data (“Yes” in step S3), it is determined that the software is operating normally, and tasks 1 to 3 are executed (step S20). On the other hand, if the read data and the detection data do not match (“No” in step S3), it is determined that the control program 210 is an unauthorized access and a software error is detected, and the safe operation transition program 203 is executed (step S3). S5). The safe operation transition program 203 stores memory information necessary for analysis (for example, data written in the registers of the CPU 101 and the access prohibited areas 431, 432, 433, and 434 of the RAM 103) in the EEPROM 104 (step S6). Then, the steering assist motor 20 is stopped (step S7).

  Here, the steering assist motor 20 is stopped when the memory monitoring program 202 detects writing to the access prohibited areas 431, 432, 433, and 434 of the RAM 103, but as in the second embodiment. For each task 1 to 3, when a task with a lighter load is stored in the ROM 102 and writing to the access prohibited areas 431, 432, 433, and 434 is detected, the task with a lighter load is executed. May be.

  According to the third embodiment, the control program 210 includes a plurality of tasks having different priorities, and the RAM 103 is provided with task areas 331, 332, and 333 for a plurality of tasks, and each task area 331 is provided. , 332, 333 are set as access prohibition areas 431, 432, 433, 434, and the CPU 101 executes the memory monitoring program 202, and the access prohibition areas between the task areas 331, 332, 333 of the RAM 103 are set. Since 431, 432, 433, and 434 are monitored, it becomes possible to detect a software error of each task.

  In the first to third embodiments, the control device for controlling the steering assist motor of the electric power steering device is described as an example of the vehicle motor. However, the present invention is not limited to this, and other vehicle motors are used. For example, it can be widely applied to electric motors for hybrid vehicles.

  The vehicle motor control device, the vehicle motor control method, and the program executed by the computer according to the present invention can be applied to various vehicle motors mounted on the vehicle, and in particular, the electric power steering device. This is useful when controlling the steering assist motor.

It is a figure which shows the general structure of an electric power steering apparatus. It is a figure which shows the hardware constitutions of the control unit of FIG. It is a figure which shows the memory structural example of ROM and RAM of main MCU. It is a figure for demonstrating the execution timing of a control program and a memory monitoring program. It is a flowchart for demonstrating a memory monitoring process and a safe operation | movement transfer process. It is a figure which shows the other structural example (the 1) of RAM. It is a figure which shows the other structural example (the 2) of RAM. It is a figure which shows the function (functional structure of a control program) implement | achieved when CPU runs a control program. 6 is a diagram illustrating a configuration example of a ROM and a RAM according to Embodiment 2. FIG. 12 is a flowchart for explaining a memory monitoring process and a safe operation transition process according to the second embodiment. It is a figure which shows the function (functional structure of a sub control program) implement | achieved when CPU executes a sub control program. FIG. 10 is a diagram illustrating a configuration example of a ROM and a RAM according to a third embodiment. It is a figure which shows an example of the timing chart of tasks 1-3 and a memory monitoring process. 12 is a flowchart for explaining a memory monitoring process and a safe operation transition process according to the third embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Steering handle 2 Column shaft 3 Reduction gear 4a, 4b Universal joint 5 Pinion rack mechanism 6 Tie rod 10 Torque sensor 12 Vehicle speed sensor 14 Battery 20 Steering auxiliary motor 30 Control unit 100 Main MCU (micro control unit)
101 CPU (control means)
102 ROM
103 RAM
104 EEPROM
105 A / D converter 106 Interface 107 Bus 110 Sub-MCU (micro control unit)
111 CPU
112 ROM
113 RAM
115 D / A converter 116 A / D converter 130 WDT (watchdog timer)
140 FET pre-driver circuit 150 Motor drive circuit (inverter)
160 Current detection circuit 170 Position detection circuit 201, 210 Control program 202 Memory monitoring program 203 Safe operation transition program 204 Sub control program 301, 311, 321 Data area 302, 312, 322 Stack area 401, 402, 411, 412 421, 431 , 432, 433, 434 Access prohibited area 331 Task 1 area 332 Task 2 area 333 Task 3 area 500 Torque control module 510 Compensation control module 520 Motor current control module 530 Motor current auxiliary control module

Claims (13)

In a control device for a vehicle motor that controls a vehicle motor mounted on a vehicle,
Control means for controlling the vehicle electric motor by executing a control program;
A memory having an access-permitted area where writing of data is permitted and an access-prohibiting area where writing of data is prohibited; used as a work area when the control means executes the control program;
With
The control device for a motor for a vehicle according to claim 1, wherein the control means includes memory monitoring means for monitoring writing of data to the access prohibited area of the memory, and monitors unauthorized access of the control program.   The memory monitoring unit writes predetermined detection data in an access prohibited area in advance before the control program is executed, and prohibits the access during the execution of the control program or after the control program is executed. The vehicle motor control device according to claim 1, wherein data writing in the access prohibited area is detected by reading data in the area and comparing the data with the predetermined detection data.   The electric motor for a vehicle according to claim 1, wherein the access permission area includes a stack area and a data area, and the access prohibition area is an area adjacent to the stack area and the data area. Control device.   The said control means stops the said motor for vehicles, when the writing of the data to the access prohibition area | region of the said memory is detected, The electric motor for vehicles as described in any one of Claim 1 thru | or 3 characterized by the above-mentioned. Control device for motor for vehicle.   When the control unit detects writing of data to the access prohibited area of the memory, the control unit stops execution of the control program and executes a sub-control program having a smaller load than the control program. The control device for a vehicle motor according to any one of claims 1 to 3, wherein the control of the vehicle motor is continued. In addition, it has a non-volatile memory,
6. The control unit according to claim 1, wherein the control unit stores memory information necessary for analysis in the nonvolatile memory when detecting writing of data to the access prohibited area of the memory. The control apparatus of the motor for vehicles as described in any one. The control program includes a plurality of tasks having different priorities,
The vehicle electric motor control apparatus according to claim 1, wherein a plurality of access prohibition areas are set in the memory.   8. The memory monitoring unit according to claim 1, wherein the memory monitoring unit performs monitoring of writing to the access prohibited area of the memory at a cycle shorter than a time constant of rising of the vehicle motor. The control apparatus of the motor for vehicles as described in one. The vehicle motor is a steering assist motor of an electric power steering device that applies a steering assist force to a steering system of the vehicle,
The control means executes the control program, calculates a current command value of the steering assist motor based on at least a steering torque generated in the steering system, and detects the current of the steering assist motor detected by a current detection circuit. 9. The driving assist motor is controlled based on the detected value and the current command value so that the detected current value of the steering assist motor follows the current command value. The control apparatus of the motor for vehicles as described in any one of these. The vehicle motor is a steering assist motor of an electric power steering device that applies a steering assist force to a steering system of the vehicle,
The control program includes a motor current control system module, a motor current auxiliary control system module, a torque control system module, and a compensation control system module,
6. The vehicle motor control apparatus according to claim 5, wherein the sub control program includes the motor current control system module, the torque control system module, and the compensation control system module. The vehicle motor is a steering assist motor of an electric power steering device that applies a steering assist force to a steering system of the vehicle,
The said control program contains the 1st task for controlling the said steering assist motor, and the 2nd task for communicating with the exterior, The control apparatus of the motor for vehicles of Claim 7 characterized by the above-mentioned. . In a vehicle motor control method for controlling a vehicle motor mounted on a vehicle,
The control means executes a control program using a memory having an access-permitted area where data writing is permitted and an access-banned area where data writing is prohibited as a work area, and controls the vehicle motor A control process,
A monitoring step in which the control means executes a memory monitoring program, monitors writing of data to the access prohibited area, and monitors unauthorized access of the control program;
A control method for an electric motor for a vehicle, comprising: In a program installed in a control device for a vehicle motor that controls a vehicle motor mounted on the vehicle,
On the computer,
A control step of controlling the electric motor for the vehicle, using a memory having an access permission area where data writing is permitted and an access prohibition area where data writing is prohibited as a work area;
A monitoring step of monitoring writing of data to the access prohibited area and monitoring unauthorized access of software;
A program to be executed by a computer, characterized in that

Images