JP2009199515A - Vehicle control device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a vehicle control device for identifying the cause and performing self-diagnosis when the storage contents of a nonvolatile memory are damaged or lost. <P>SOLUTION: The vehicle control device is installed in a vehicle and comprises: a nonvolatile memory, a control means for performing data transmission/reception to/from the nonvolatile memory, and a nonvolatile memory access means for mediating data transmission/reception between the nonvolatile memory. The control device is provided with a nonvolatile memory access monitoring means for monitoring access to the nonvolatile memory, and, when an error occurs in data writing to the nonvolatile memory by transmission/reception between the control means and the nonvolatile memory, detects and stores in the nonvolatile memory the cause of the error through the nonvolatile memory access means and the nonvolatile memory access monitoring means. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a vehicle control device, and more particularly to a vehicle control device that self-diagnose an abnormality in a nonvolatile memory.

  In recent years, in vehicle control devices, as performance demands required for automobiles such as environmental friendliness and safety performance increase, storage of data such as variations in parts of automobile systems, learning control of deterioration over time, and diagnostic information complying with laws and regulations Is to be done. The vehicle control device includes an electrically rewritable nonvolatile semiconductor memory (flash memory, EEPROM, etc.), and stores the data in the semiconductor memory.

  By the way, if the stored contents of the semiconductor memory are damaged or lost for some reason, there is a possibility that the intended operation in the automobile system may not be performed. In other words, the content that has been learned as component variations and aging deterioration may be damaged or lost, and a system that has been appropriately controlled until then may become uncontrollable or may malfunction.

  Therefore, in a vehicle control device equipped with a non-volatile semiconductor memory, a self-diagnosis is detected to detect that the content stored in the non-volatile semiconductor memory is abnormal. Generally, it is controlled to operate.

  As a vehicle control device that performs a self-diagnosis of a nonvolatile memory, for example, there is a vehicle control device that includes an error detection mechanism such as a parity check and a return means (see, for example, Patent Document 1). Further, there is a semiconductor memory having a mechanism for dividing a storage area of a semiconductor memory into a plurality of areas and regarding a predetermined number of areas as normal when storing the same value and recovering other areas (for example, Patent Documents). 2).

JP 2001-73864 A JP 2006-286111 A

  There are several possible causes for the loss or loss of the stored contents of the nonvolatile semiconductor memory. One is a case where data on the semiconductor memory is actually damaged. Reasons for the actual damage to the data include failure of the wafer and assembly inside the semiconductor device, and damage to memory information due to alpha rays emitted from radiation elements contained in trace amounts in the semiconductor. is there. In either case, the stored contents of the semiconductor memory are damaged or lost due to a failure on the semiconductor device side.

  The second cause of the damage and loss of the stored contents of the semiconductor memory is when data is damaged in communication for transmitting and receiving data between the CPU (control means) of the vehicle control device and the semiconductor memory. Even if both the semiconductor memory and the control means are operating normally, if an error occurs in the communication between the semiconductor memory and the control means and no error correction mechanism is provided, the erroneous data is Since it is stored in the memory, as a result, the storage content of the semiconductor memory is equivalent to being damaged.

  As a third cause of the damage or loss of the stored contents of the semiconductor memory, there may be an abnormal operation of software that operates on the control means and controls data transmission / reception with the semiconductor memory. This is a case where unexpected data is stored in the semiconductor memory as a result of the software causing an abnormal operation for some reason, and as a result of the control means writing data other than data writing to the expected address.

  As described above, there are several factors that can cause the stored contents of the nonvolatile semiconductor memory to be damaged or lost. However, in a conventional vehicle control device that detects an abnormality in a nonvolatile semiconductor memory, it is impossible to identify any cause of data damage or loss. In other words, even if there is a cause in the semiconductor memory (semiconductor device), the software running on the control device, or the communication between the semiconductor memory and the control means, the memory abnormality on the semiconductor memory is detected by the self-diagnosis. Therefore, it was impossible to detect the abnormality by distinguishing what the direct cause was.

  Therefore, even if the vehicle control device malfunctions due to abnormal storage on the semiconductor memory, the direct cause is not known, and therefore very difficult countermeasures are required. Even if the vehicle control device is replaced and the semiconductor device or the control device (hardware) is replaced, if the cause is in the software operating on the control means, it does not suppress the recurrence of the defect.

  In order to solve the above problems, the object of the present invention is to perform self-diagnosis by identifying the cause when the stored contents of a nonvolatile semiconductor memory are damaged or lost, or when illegal data is stored in the semiconductor memory. An object of the present invention is to provide a vehicle control device that can perform the above.

  In order to achieve the above object, a vehicle control apparatus according to the present invention is mounted on a vehicle, and includes a non-volatile memory, control means for executing transmission / reception of data between the non-volatile memory, the non-volatile memory and the control. A vehicle control device comprising a non-volatile memory access means for mediating data transmission / reception between the means, comprising a non-volatile memory access monitoring means for monitoring access to the non-volatile memory, the control means and the non-volatile memory When an abnormality occurs in the data writing to the nonvolatile memory executed by transmission / reception between the two, the cause of the abnormality is detected via the nonvolatile memory access means and the nonvolatile memory access monitoring means, and the It is configured to be stored in a nonvolatile memory.

  The cause of the write abnormality that can be detected by the nonvolatile memory access means and the nonvolatile memory access monitoring means is, for example, an abnormality of software that constitutes a control means for transmitting / receiving data to / from the nonvolatile memory, and to the nonvolatile memory. Communication abnormality in data transmission / reception and abnormality of the nonvolatile memory itself.

  According to the present invention, an abnormality can be detected by specifying where in the non-volatile memory, the control unit, or the communication path between the non-volatile memory and the control unit has occurred.

  DESCRIPTION OF EXEMPLARY EMBODIMENTS Hereinafter, preferred embodiments of the invention will be described with reference to the accompanying drawings.

  FIG. 1 is a functional block diagram showing the vehicle control device of this embodiment.

  As shown in FIG. 1, the vehicle control device 1 is a vehicle electronic device (ECU: Electrical Control Unit) mounted on the vehicle. The vehicle control device 1 is connected to sensors 2 attached to each component such as an engine and other electrical components, and includes an input signal detection means 3 that detects (receives) an input signal from the sensors 2, an engine and the like. An output circuit 6 connected to the actuators 5 provided for driving the actuators 5 and an input signal detection means 3 and an output circuit 6 connected to the output circuit 6 to generate and output an appropriate control signal according to the signal from the input signal detection means 3 The control means 4 for outputting to the circuit 6, the electrically rewritable nonvolatile semiconductor memory (hereinafter referred to as “nonvolatile memory”) 9, and the control means 4 and the nonvolatile memory 9 mediate data. The nonvolatile memory access means 10 and the state of the communication line between the nonvolatile memory 9 and the nonvolatile memory access means 10 and the nonvolatile memory for monitoring the nonvolatile memory access means 10 Includes a re access monitoring device 11 is connected to the non-volatile memory access means 10 and an external communication bus 7, and an external communication unit 8 for transmitting and receiving a signal to an external network.

  FIG. 2 is a block diagram showing a hardware configuration of the vehicle control device 1 of FIG.

  As shown in FIG. 2, the vehicle control device 1 includes an input / output interface (I / F) 12 connected to the sensors 2 and the actuators 5, and an external device connected to the external communication bus 7. External communication interface (I / F) 13 that performs signal transmission / reception, RAM (Random Access Memory) 14 that is a volatile memory that stores temporary information, and ROM that is a nonvolatile memory that stores a control program and various control settings (Read Only Memory) 15, an internal communication interface (I / F) 16 connected to the non-volatile memory, and a CPU (Central Processing Unit) 17 that controls and controls them, these elements are They are connected to each other via a bus 18. As the nonvolatile memory, an EEPROM (Electrically Erasable and Programmable Read Only Memory) 20 is exemplified and connected to the internal communication interface 16. Communication (communication path) between the EEPROM 20 and the internal communication interface is also connected to the input / output interface 12 and monitored by the CPU 17 via the bus 18.

  In the vehicle control apparatus 1, when the functional block diagram of FIG. 1 is associated with the hardware block diagram of FIG. 2, the input signal detecting means 3 and the output circuit 6 of FIG. 1 correspond to the input / output interface 12 of FIG. Further, the control means 4, the non-volatile memory access means 10 and the non-volatile memory access monitoring means 11 shown in FIG. 1 correspond to the software (program) described in the ROM 15 and the CPU 17 that executes the software via the RAM 14 in FIG. To do. The non-volatile memory 9 in FIG. 1 corresponds to the EEPROM 20 in FIG.

  The module group such as the input / output interface 12, the external communication interface 13, the RAM 14, the ROM 15, the CPU 17, the internal communication interface 16, and the bus 18 may be configured by a microcomputer 19 including one or two or more chips. The CPU 17 executes control of an external engine and other electrical components, data processing in the vehicle control device, and the like based on input information of sensors. The ROM 15 stores programs and data executed by the CPU 17. The RAM 14 temporarily records the calculation result by the CPU 17 and the program and data in the ROM 15.

  Next, the operation of the vehicle control device 1 will be described with reference to FIG.

  A microcomputer 19 shown in FIG. 3 includes a nonvolatile memory access means 10, a nonvolatile memory access monitoring means 11, an internal communication interface 16, and an application program 21. The application program 21 is a program for writing data input from the vehicle sensors 2, driving / controlling processing to the actuator, and information related to the control target to the nonvolatile memory based on these processing results. Similar to the nonvolatile memory access means 10 and the nonvolatile memory access monitoring means 11, the application program 21 is software that is written in the ROM 15 and read and executed by the CPU 17. The internal communication interface 16 shown in FIG. 3 is a built-in module mounted as hardware in the microcomputer 19. The EEPROM 20 is connected to the internal communication interface 16 and is also connected to the nonvolatile memory access monitoring means 11 via an input signal detection means 3 (see FIG. 1) (not shown).

  When the application program 21 writes data related to an external control target of the vehicle control device 1 to the EEPROM 20, first, a write request is made to the nonvolatile memory access means 10 (arrow a). The non-volatile memory access means 10 makes an inquiry to the non-volatile memory access monitoring means 11 (arrow b) in order to confirm whether the write request is correct.

  When the nonvolatile memory access monitoring means 11 authenticates that the write request from the nonvolatile memory access means 10 is valid (arrow c), the nonvolatile memory access means 10 drives the internal communication interface 16. (Arrow d), a write signal for writing data requested by the application program 21 to the EEPROM 20 is transmitted (arrow e).

  On the other hand, if the non-volatile memory access monitoring means 11 determines that the write request from the application program 21 is invalid, the non-volatile memory access means 10 is not the data requested to be written by the application program 21, but is illegal. Write data (invalid write identification data) indicating that there has been a write request is written to the EEPROM 20. By this operation, it is stored in the EEPROM 20 that the write request is not valid.

  Thereby, even when there is an illegal data write request to the nonvolatile memory 9 on the vehicle control device 1, the cause is the software (application 21) that controls the control means 4 that performs data transmission / reception with the nonvolatile memory 9. If there is, the cause can be determined.

  Further, the communication line 21 (arrow e, f) between the internal communication interface 16 and the EEPROM 20 is monitored by the nonvolatile memory access monitoring means 11 (arrow g), and unauthorized communication from the internal communication interface 16 to the EEPROM 20 is performed. It is determined whether or not has been performed. That is, the communication from the internal communication interface 16 to the EEPROM 20 is performed because the nonvolatile memory access means 10 receives a write request from the application program 21 and the nonvolatile memory access monitoring means 11 permits the writing. Only when the access means 10 drives the internal communication interface 16. If any communication state is confirmed on the communication line between the internal communication interface 16 and the EEPROM 20 by the non-volatile memory access monitoring means 11 even though this series of operations is not performed, has the internal communication interface 16 malfunctioned? Or, it indicates that an abnormality has occurred in any of the communication logics such as a malfunction such as noise occurring in the communication line between the internal communication interface 16 and the EEPROM 20. When such abnormal communication occurs, the nonvolatile memory access monitoring unit 11 notifies the nonvolatile memory access unit 10 that abnormal communication has occurred, and stores the occurrence of communication abnormality in the EEPROM 20.

  Thereby, even when the storage content of the nonvolatile memory 9 is damaged on the vehicle control device 1, if the cause is a communication abnormality in data transmission / reception with the nonvolatile memory 9, it can be determined. It becomes possible.

  Even though the write identification data indicating the unauthorized write request based on the above-described software abnormality is not detected, and the notification based on the communication abnormality is not detected, data is damaged or lost in the nonvolatile memory 9. In this case, it is indicated that data is damaged or lost in the nonvolatile memory itself (semiconductor device on the nonvolatile memory side).

  Next, the operation of the nonvolatile memory access means 10 (EEPROM writing routine) and the operation of the nonvolatile memory access monitoring means 11 (signature inquiry, communication line monitoring routine) will be described with reference to the flowcharts shown in FIGS. .

  FIG. 4 is a flowchart of the EEPROM write routine 22 executed by the nonvolatile memory access means 10. According to the EEPROM write routine 22, first, the nonvolatile memory access means 10 receives a write address (Wa) 23, write data (Wd) 24, and a signature (Sg) 25 as arguments from the application program 21 that is the caller. Next, in order to confirm that the signature 25 received from the application program is correct, the signature is inquired (step S26). The signature inquiry is performed in the non-volatile memory access monitoring means 11, and details thereof will be described later (see FIG. 5).

  When the inquiry result is returned from the nonvolatile memory access monitoring means 11 to the nonvolatile memory access means 10, the inquiry result is determined (step S27), and the EEPROM writing signal is set to High. The EEPROM writing signal (Ws) is a signal indicating whether or not a write signal can be sent to the EEPROM. While the internal communication interface 16 is sending a write signal to the EEPROM 20, the EEPROM and the EEPROM 20 are internal. When the communication interface 16 did not send a write signal, it was defined as Low. Note that the EEPROM writing signal (Ws) may be set by software or may display some function implemented by hardware.

  If the signature inquiry 26 confirms that the signature (Sg) 25 sent by the caller is correct (step S27 → S), the EEPROM writing signal (Ws) is set to high (step S28), and then the internal communication The interface 16 is driven, and a signal for writing the write data (Wd) 24 corresponding to the write address (Wa) 23 received as an argument from the application program 21 is sent to the EEPROM 20 (step S29). When transmission of the write signal is completed, the EEPROM writing signal (Ws) is set to Low again (step S30).

  On the other hand, if the signature (Sg) 25 sent from the caller is not correct (step S27 → N) as a result of the signature inquiry in the nonvolatile memory access monitoring means 11, the nonvolatile memory access means 10 is writing to the EEPROM. After setting the signal (Ws) to High (step S31), the internal communication interface 16 is driven, and a write signal (illegal write signal) indicating illegal write due to a software reason is sent to the EEPROM 20 (step S32). When the sending of the illegal write signal is completed, the EEPROM writing signal (Ws) is set to Low again (step S33).

  Through such a series of operations (EEPROM writing routine), it is stored in the EEPROM 20 that there has been an illegal writing to the EEPROM 20 due to software.

  FIG. 5 is a flowchart showing a signature inquiry routine in the nonvolatile memory access monitoring means 11.

  As shown in FIG. 5, the non-volatile memory access monitoring means 11 receives the write address (Wa) 23, the write data (Wd) 24, and the arguments from the EEPROM write routine 22 (non-volatile memory access means 10) as the caller. The signature (Sg) 25 is received. Based on the received information, a signature (Sg ') is calculated (step S34). The calculation of the signature (Sg ′) may be a method in which the number of authentications is shared in advance with the application program 21, or is calculated by a combination of the write address (Wa) 23, the write address (Wa) 23, and the write data (Wd) 24. May be a method using a common key encryption or a public key encryption, and any calculation method can be used as long as it can be confirmed that at least the original signature (Sg) 25 is due to a write request from the application program 21. May be. If the calculated signature (Sg ′) matches the value of the original signature (Sg) 25 (step S35 → Y), it can be confirmed that the original signature (Sg) 25 is due to a write request by the application program 21. Then, the EEPROM writing routine 22 which is the caller notifies the EEPROM writing routine (nonvolatile memory access means 10) that the authentication has been correctly performed, and the processing is terminated (step S36).

  On the other hand, if the signature (Sg ′) obtained by the calculation does not match the value of the original signature (Sg) 25, it cannot be confirmed that the write request is issued by the application program 21. Is notified to the nonvolatile memory access means 10 and the process is terminated (step S37).

  FIG. 6 is a flowchart for detecting an abnormality in data communication between the control means 4 (microcomputer 19) and the nonvolatile memory 9 (EEPROM 22) executed by the nonvolatile memory access monitoring means 11 (communication line monitoring routine). .

  As shown in FIG. 6, when the communication line monitoring routine 38 is executed in the nonvolatile memory access monitoring means 11, first, the nonvolatile memory access monitoring means 11 acquires the communication line state (St) (step S39). ). The communication line state (St) is a parameter indicating the state of the communication line between the internal communication interface 16 and the EEPROM 20. The non-volatile memory access monitoring unit 11 monitors the communication state between the internal communication interface 16 and the EEPROM 20, and if the communication line state (St) is active indicating that the communication is in progress (step S40 → Y), The state of the EEPROM writing signal (Ws) is confirmed (step S41). If the state (Ws) of the EEPROM write signal is Low, some data is sent although the EEPROM write routine 22 does not send a write signal to the EEPROM 20 via the internal communication interface 16 ( That is, there is a communication abnormality). Therefore, if the communication line state (St) is active and the EEPROM write signal is Low, the fact that a communication error has occurred is stored in the EEPROM 20 by the EEPROM write request (step S42).

  As described above, the vehicle control apparatus determines whether the non-volatile memory 9 has an illegal write request or the stored content is damaged based on the non-volatile memory 9, the control means 4, or the non-volatile memory 9. Which of the communications between the control means 4 can be distinguished, and it is possible to more appropriately take measures when a problem occurs.

  Specifically, when an abnormal operation of software (application 21) that operates the control means for transmitting / receiving data to / from the nonvolatile semiconductor memory 9 is detected, the abnormality is stored in the nonvolatile memory 9. Thus, when the stored contents of the nonvolatile memory 9 are damaged, it can be determined that the cause is in the software. In addition, when a communication abnormality is detected in the transmission / reception of data to / from the nonvolatile memory 9, if the abnormality is stored in the nonvolatile memory, the stored content of the nonvolatile memory 9 is damaged. It can be determined that the cause is a communication error in transmission / reception of data to / from the nonvolatile memory 9. Further, by combining these two abnormality detection methods, when the storage contents of the nonvolatile memory 9 are damaged, the software that controls the control device that transmits and receives data to and from the nonvolatile memory 9 can also be used. When it is detected that there is no communication abnormality in the transmission / reception of data to / from, it is possible to determine that the cause of damage to the storage contents of the nonvolatile semiconductor memory 9 is due to the nonvolatile semiconductor memory itself.

  As described above, the present invention is not limited to the above-described embodiments, and various other ones are assumed.

  In the present embodiment, the internal communication interface 16 is used as a communication interface on the microcomputer 19 side connected to the EEPROM 20, but the connection between the EEPROM and the microcomputer (control means) is such that the nonvolatile semiconductor memory is connected to the control device by communication. Any configuration may be used. For example, the input / output interface 12 may be used as a communication interface on the microcomputer 19 side connected to the EEPROM 20. Further, a general-purpose input / output interface may be used as a communication interface on the microcomputer 19 side connected to the EEPROM 20, and a signal may be directly driven and communicated by software described in the ROM 15.

  In the present embodiment, the EEPROM 20 is used as the nonvolatile semiconductor memory, and the EEPROM 20 is arranged outside the microcomputer 19. However, a nonvolatile semiconductor memory that is an abnormality detection target may be built in the microcomputer. In this configuration, communication abnormality is not detected in the data transmission / reception between the microcomputer and the nonvolatile semiconductor memory, but the abnormality of the software that transmits data from the control means to the nonvolatile memory is diagnosed in the microcomputer. What is necessary is just to be comprised.

  Further, when software abnormality, communication abnormality, and abnormality of the nonvolatile memory itself are stored in the nonvolatile memory 9, the abnormality may be notified to the user as an in-vehicle display or a warning sound.

It is a functional block diagram showing a vehicle control device of an embodiment according to the present invention. It is a hardware block diagram (block block diagram) which shows the vehicle control apparatus of one Embodiment. It is a block block diagram which shows the vehicle control apparatus of one Embodiment. It is a flowchart which shows operation | movement of the non-volatile memory access means at the time of performing detection and writing of software abnormality. It is a flowchart which shows operation | movement of the non-volatile memory access monitoring means at the time of performing signature inquiry. It is a flowchart which shows operation | movement of the non-volatile memory access monitoring means at the time of performing detection and writing of communication abnormality.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Vehicle control apparatus 4 Control means 9 Non-volatile memory 10 Non-volatile memory access means 11 Non-volatile memory access monitoring means 14 RAM
15 ROM
16 Internal communication interface 17 CPU

Claims (6)

A non-volatile memory mounted on a vehicle, a control unit that executes transmission / reception of data between the non-volatile memory, a non-volatile memory access unit that mediates data transmission / reception between the non-volatile memory and the control unit, and In a vehicle control device comprising:
Non-volatile memory access monitoring means for monitoring access to the non-volatile memory, when an abnormality occurs in data writing to the non-volatile memory executed by transmission and reception between the control means and the non-volatile memory, A vehicle control device comprising a configuration in which the cause of the abnormality is detected and stored in the nonvolatile memory via the nonvolatile memory access means and the nonvolatile memory access monitoring means.   2. The vehicle control device according to claim 1, wherein the nonvolatile memory access means detects an abnormal operation of software constituting the control means for transmitting and receiving data to and from the nonvolatile memory by the nonvolatile memory access monitoring means. The vehicle control apparatus which memorize | stores the abnormality detection in the said non-volatile memory.   2. The vehicle control device according to claim 1, wherein when the communication error is detected in the data reception to the nonvolatile memory by the nonvolatile memory access monitoring means, the nonvolatile memory access means detects the abnormality. A vehicle control device for storing in a non-volatile memory.   2. The vehicle control device according to claim 1, wherein in the nonvolatile memory access means, an abnormal operation of software for operating the control means is detected when data is written to the nonvolatile memory by the nonvolatile memory access monitoring means. In this case, the abnormality detection is stored in the non-volatile memory, and when a communication abnormality of the data transmission / reception is detected when writing data to the non-volatile memory, the abnormality detection is stored in the non-volatile memory. Vehicle control device   5. The vehicle control device according to claim 2, wherein the nonvolatile memory access unit makes an inquiry to the nonvolatile memory access monitoring unit whether a write request to the nonvolatile memory is valid, and as a result of the inquiry, If the write request is valid, the data executed by the software is written to the non-volatile memory. On the other hand, if the write request is invalid, the software indicates an abnormality in the software. A vehicle control device for writing a write identification signal in the nonvolatile memory.   5. The vehicle control device according to claim 3, wherein the non-volatile memory access monitoring unit monitors a communication line state between the control unit and the non-volatile memory, and requests data write of the control unit to the non-volatile memory. A vehicle control device that writes an unauthorized write identification signal indicating that there is a communication abnormality in the nonvolatile memory when the communication line state is active even though there is no communication line.

Images