JP2011013737A - Electronic controller - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an electronic controller for increasing detection precision with respect to data destruction, and for suppressing the loss of data in such a form that the local processing load increase is prevented, in a system where there are many pieces of backup object information.SOLUTION: When a main power source is restored, a central processing unit 10 calculates the SUM value of backup data stored in a nonvolatile memory 11, and compares the SUM value with SUM value which is similarly calculated when a main power source is interrupted, and when the unique data of the volatile memory 11 and the unique data of the nonvolatile memory 12 are matched, the backup data are not initialized but stored even when the SUM values are not matched.

Description

  The present invention relates to an electronic control unit used for backing up a volatile memory used in a microcomputer or the like.

  The following is known as a method for backing up information in a volatile memory used in a conventional microcomputer or the like when the main power supply is shut off (see, for example, Patent Document 1).

  When the microcomputer detects that the main power supply is cut off, the low power consumption mode starts, and then the mode for backing up the information in the volatile memory starts. In this backup mode, when the microcomputer detects the return of the main power supply, a hardware reset is applied to the microcomputer and a startup program is executed. When the startup process is completed, a user-defined initial process is executed, and a confirmation program is executed to check whether the volatile memory backed up during the initial process is destroyed. The presence or absence of data destruction is determined based on whether or not each data to be backed up is a value that can be taken by specifications. If the value of the backed up data is out of the specifiable range, the microcomputer determines that the data has been destroyed, and initializes the corresponding data and information of the information group to which the data belongs. If the value of the backed up data is within the range, the microcomputer does not initialize the corresponding data because the data is not destroyed.

JP-A-5-158814

  However, in an electronic control device used for backup of a conventional volatile memory, the presence or absence of data destruction is determined based on whether or not the value of backed up data is within the range of values that can be taken by specifications. In actuality, it may be determined that there was no data destruction even though data destruction occurred. Depending on the intended use of the destroyed data, even if the data value after destruction is within the specifiable range, the data value cannot be obtained at the timing when the data is referenced or in the operating environment. There is. At this time, even if the program is not runaway, an event that is determined to be abnormal in the system operation may be reached.

  In addition, since it is necessary to execute a process for determining whether or not each data to be backed up is within the range of values that can be taken in terms of specifications, when the data to be backed up is added, a process for determining the additional data is also performed. Requires additional. Therefore, it is not suitable for a system that lacks expandability and versatility and attempts to back up a large amount of data.

  In addition, when it is determined that the data is destroyed, the data is unconditionally initialized and cannot be recovered, so there is a problem that data loss is large.

  Therefore, the present invention provides an electronic control device that suppresses data loss in a form that has high accuracy in detecting data destruction and prevents local processing load increase even in a system with a large amount of information to be backed up. With the goal.

  The present invention relates to whether or not the value calculated by the control means based on the backup data stored in the volatile storage means is the same between when the main power supply is shut off and when the main power supply is restored, and when the main power supply is restored. Whether or not the backup data of the volatile storage means is destroyed is determined by whether or not the unique data of the means and the unique data of the nonvolatile storage means match.

  The present invention provides an electronic control device that suppresses data loss in a form that has high detection accuracy against data destruction and prevents a local processing load increase even in a system with a large amount of information to be backed up. it can.

1 is a block diagram of an electronic control device for an automobile engine according to an embodiment of the present invention. The figure explaining the internal structure of the volatile memory 11 which is the principal part of the same FIG. The flowchart figure of the backup process at the time of the main power supply cutoff by the microcomputer 2 which is the principal part of FIG. The flowchart figure of the backup process at the time of the main power return by the microcomputer 2 which is the principal part of FIG.

  Hereinafter, an electronic control device according to an embodiment of the present invention will be described with reference to the drawings, taking an electronic control device for an automobile engine as an example.

  FIG. 1 is a block diagram of an electronic control unit for an automobile engine according to an embodiment of the present invention. In FIG. 1, an electronic control device 1 for an automobile engine has a microcomputer 2, a power supply circuit 3, an input circuit 4, and an output circuit 5. The electronic control device 1 is connected to an ignition SW 6, a battery 7, a vehicle state detection device 8, and an external device 9 provided outside the electronic control device 1.

  The power supply circuit 3 in the electronic control unit 1 is composed of a switching regulator or the like, and supplies the microcomputer 2 with the regulated voltage of the battery 7 in accordance with the signal of the ignition SW 6. That is, the power supply circuit 3 supplies voltage from the battery 7 to the microcomputer 2 when it is detected that the ignition SW 6 is turned off in accordance with an instruction from the microcomputer 2. When the power supply circuit 3 detects that the ignition SW 6 is turned off, the power supply circuit 3 sends a signal for shifting to the low power consumption mode to the microcomputer 2. The power supply circuit 3 supplies a voltage from the main power supply to the microcomputer 2 when detecting that the ignition SW 6 is turned on.

  The input circuit 4 includes a waveform shaping circuit, an amplifier circuit, and the like. Detection signals are input to the input circuit 4 from a vehicle state detection device 8 that detects pulses and switches such as engine rotation, and vehicle states such as temperature and pressure. The input circuit 4 shapes the waveform of the detection signal, amplifies an analog signal such as temperature and pressure, and inputs the amplified signal to the microcomputer 2.

  The output circuit 5 includes a waveform shaping circuit, an H bridge circuit, and the like. A control signal calculated by the microcomputer 2 based on the signal from the input circuit 4 is input to the output circuit 5. The output circuit 5 outputs this control signal to an external device 9 composed of a motor, a spark plug, an injector, and the like. The operation of the external device 9 is controlled by this control signal.

  Further, the microcomputer 2 includes a central processing unit 10, a volatile memory 11, and a nonvolatile memory 12.

  The central processing unit 10 (CPU) performs an operation based on the control program stored in the non-volatile memory 12 and information input from the input circuit 4, and outputs a control signal determined based on the operation result to the output circuit 5. Output to. At this time, the intermediate result of the operation and information input from the input circuit 4 are stored in the volatile memory 11. Further, when the central processing unit 10 receives an ON / OFF detection signal of the ignition SW 6 from the power supply circuit 3, the central processing unit 10 determines that the main power supply has been restored / cut off, and performs the control described later. Here, the return of the main power supply means that the state of being disconnected by being connected to the main power supply is released. Further, the central processing unit 10 shifts to the low power consumption mode when the power supply circuit 3 receives a command signal in the low power consumption mode associated with turning off the ignition SW 6.

  The volatile memory 11 (RAM) can store information in the low power consumption mode even when the main power supply is shut off. In other words, even when the ignition SW 6 is turned off, the voltage of the battery 7 is supplied to the microcomputer 2 by the power supply circuit 3, so that the volatile memory 11 can hold the stored data without being erased.

  Next, the internal configuration of the volatile memory 11 will be described. FIG. 2 is a diagram for explaining the internal configuration of the volatile memory 11.

  The volatile memory 11 has a backup area 19 and a non-backup area 20. The backup area 19 is an area in which important data is arranged to be backed up. The backup area 19 is composed of a plurality of regular areas that are distinguished by usage and a plurality of mirror areas that respectively back up the plurality of areas. As shown in FIG. 2, the backup area 19 includes a first area 13 that is a normal area for storing data for use A, a second area 14 that is a mirror area for storing backup of the first area, and data for use B. The third area 15 which is a normal area for storing, the fourth area 16 which is a mirror area for storing the backup of the third area, the fifth area 17 which is a normal area for storing the data for use C, and the backup of the fifth area The sixth area 18 is a mirror area to be stored. Further, in each of the first area 13, the third area 15, and the fifth area 17 which are normal areas, it is confirmed whether or not data is destroyed in the first specific area (for example, the first 4 bytes). The unique data for storing is stored. In the present embodiment, it is assumed that the data in the first area 13 is particularly important data. In the present embodiment, the backup area 19 of the volatile memory 11 includes three regular areas of the first area 13, the third area 15, and the fifth area 17, the second area 14, the fourth area 16, and the sixth area. Although there are 18 three mirror regions, the number of normal regions and the number of mirror regions may be two or more, respectively, as long as the numbers are the same.

  The non-volatile memory 12 (ROM) stores a control program for the central processing unit 10 to perform arithmetic processing. In addition, the nonvolatile memory 12 stores in advance the same unique data as the unique data respectively stored in the first specific areas of the first, third, and fifth areas that are normal areas of the volatile memory 11.

  Next, backup processing by the microcomputer 2 will be described when the power supply circuit 3 detects the interruption of the main power supply (OFF operation of the ignition SW 6). FIG. 3 is a flowchart of backup processing when the main power supply is shut off by the microcomputer 2.

  As shown in step S21 of FIG. 3, the central processing unit 10 calculates the SUM value of the first area 13 which is a normal area in units of 4 bytes, and the calculation result is the second specific area ( For example, the last 4 bytes). In the present embodiment, the SUM value is calculated, but it may be a calculated value based on the data stored in the first area 13.

  Next, as shown in step S <b> 22, the central processing unit 10 copies the information of the first area 13 in which the SUM value is reflected to the second area 14 that is a mirror area of the first area 13. Therefore, the SUM value of the first area 13 calculated by the central processing unit 10 is also stored in the second specific area of the second area 14.

  Similarly, as shown in step S <b> 23, the central processing unit 10 calculates the SUM value of the third area 15 and stores the calculation result in the second specific area of the third area 15.

  Next, as shown in step S <b> 24, the central processing unit 10 performs copying in the fourth area 16 that is a mirror area of the third area 15. Therefore, the SUM value of the third area 15 calculated by the central processing unit 10 is also stored in the second specific area of the fourth area 16.

  Next, as shown in step S <b> 25, the central processing unit 10 calculates the SUM value of the fifth area 17 and stores the calculation result in the second specific area of the fifth area 17.

  Then, as shown in step S <b> 26, the central processing unit 10 performs copying in the sixth area 18 that is the mirror area of the fifth area 17. Therefore, the SUM value of the fifth area 17 calculated by the central processing unit 10 is also stored in the second specific area of the sixth area 18.

  Next, backup processing executed during the initial processing before the microcomputer 2 starts the normal control operation when the power supply circuit 3 detects the return of the main power supply (ON operation of the ignition SW 6) will be described. FIG. 4 is a flowchart of backup processing when the main power is restored by the microcomputer 2.

  First, the central processing unit 10 performs processing on the first region 13 that is a normal region and the second region 14 that is a mirror region. That is, the central processing unit 10 calculates the current SUM value of the first area 13 as shown in step S31, and calculates the calculated SUM value when the main power is shut off as shown in step S32. It is determined whether or not the SUM value stored in the second specific area of the area 13 matches.

  If “NO” in the step S32, that is, if the central processing unit 10 determines that the SUM values do not match, the central processing unit 10 is a mirror region of the first region 13, as shown in step S33. The SUM value of the second area 14 is calculated.

  Then, as shown in step S34, the central processing unit 10 determines that the calculated SUM value of the second area 14 is copied to the second specific area of the second area 14 by the backup process when the main power supply is shut off. It is determined whether it matches.

  If “NO” in the step S34, that is, if the calculated SUM value of the second area 14 does not coincide with the SUM value copied to the second specific area of the second area 14 by the backup process at the time of main power shut-off, the center When the arithmetic processing unit 10 determines, the central processing unit 10 initializes the first to sixth areas, which are all areas of the backup area 19 of the volatile memory 11, as shown in step S35.

If “YES” in the step S 34, that is, if the calculated SUM value of the second area 14 matches the SUM value copied to the second specific area of the second area 14 by the backup process at the time of main power interruption, the central calculation is performed. When the processing device 10 determines, the central processing unit 10 determines that the data in the second region 14 that is the mirror region is more accurate than the data in the first region 13 that is the normal region, and the process proceeds to step S36. As shown, the data stored in the second area 14 is copied to the first area 13.

  If “YES” in the step S32, that is, if the central processing unit 10 determines that the SUM values coincide with each other, or if the processing in the step S36 is performed, as shown in a step S37, the central processing unit 10 Is the determination specific data currently stored in the first specific area of the first area 13 and the determination specific data associated with the first specific area of the first area 13 stored in the nonvolatile memory 12. Judge whether the data matches.

  If “NO” in the step S37, that is, if the central processing unit 10 determines that the unique data does not match, the central processing unit 10 performs the first check by performing a double check in the steps S32 and S37. It is determined that the data stored in 13 is destroyed, and the process of step S35 is performed.

  If “YES” in the step S37, that is, if the central processing unit 10 determines that the unique data match, the central processing unit 10 performs the first check by performing a double check in the steps S32 and S37. It is determined that the data stored in 13 is correct and not destroyed, and the stored data is not initialized and the data is retained.

  Next, the central processing unit 10 performs processing on the third region 15 which is a normal region and the fourth region 16 which is a mirror region. That is, the central processing unit 10 calculates the current SUM value of the third region 15 as shown in step S38, and calculates the calculated SUM value when the main power supply is shut off as shown in step S39. It is determined whether or not the SUM value stored in the second specific area of the area 15 matches.

  If “NO” in the step S39, that is, if the central processing unit 10 determines that the SUM values do not match, the central processing unit 10 is a mirror region of the third region 15, as shown in step S40. The SUM value of the fourth area 16 is calculated.

  Then, as shown in step S41, the central processing unit 10 determines that the calculated SUM value of the fourth area 16 is copied to the second specific area of the fourth area 16 by the backup process when the main power supply is shut off. It is determined whether it matches.

  If “NO” in the step S41, that is, if the calculated SUM value of the fourth area 16 does not match the SUM value copied to the second specific area of the fourth area 16 by the backup processing at the time of main power shut-off, the center When the arithmetic processing unit 10 determines, the central processing unit 10 initializes the third region 15 which is a normal region among the regions of the volatile memory 11 as shown in step S42.

  If “YES” in the step S41, that is, if the calculated SUM value of the fourth area 16 and the SUM value copied to the second specific area of the fourth area 16 by the backup processing at the time of main power cut-off coincide, When the processing device 10 determines, the central processing unit 10 determines that the data in the fourth region 16 that is the mirror region is more accurate than the data in the third region 15 that is the normal region, and the process proceeds to step S43. As shown, the data stored in the fourth area 16 is copied to the third area 15.

  If “YES” in the step S39, that is, if the central processing unit 10 determines that the SUM values coincide with each other, or if the processing in the step S43 is performed, as shown in the step S44, the central processing unit 10 Further, the determination specific data currently stored in the first specific area of the third area 15 and the determination specific data associated with the first specific area of the third area 15 stored in the nonvolatile memory 12 Judge whether the data matches.

  If “NO” in the step S44, that is, if the central processing unit 10 determines that the unique data does not match, the central processing unit 10 performs the third check by performing a double check in the steps S39 and S44. 15 determines that the data stored in 15 has been destroyed, and performs the process of step S42.

  If “YES” in the step S44, that is, if the central processing unit 10 determines that the unique data matches, the central processing unit 10 performs the third check by performing a double check in the steps S39 and S44. It is determined that the data stored in 15 is not destroyed and is correct, and the stored data is not initialized but is retained.

  Finally, the central processing unit 10 performs processing on the fifth area 17 which is a normal area and the sixth area 18 which is a mirror area. That is, the central processing unit 10 calculates the current SUM value of the fifth region 17 as shown in step S45, and calculates the calculated SUM value when the main power supply is shut off as shown in step S46. It is determined whether or not the SUM value stored in the second specific area of the area 17 matches.

  If “NO” in the step S46, that is, if the central processing unit 10 determines that the SUM values do not match, the central processing unit 10 is a mirror region of the fifth region 17 as shown in step S47. The SUM value of the sixth area 18 is calculated.

  Then, as shown in step S48, the central processing unit 10 determines that the calculated SUM value in the sixth area 18 is copied to the second specific area in the sixth area 18 by the backup process when the main power supply is shut off. It is determined whether it matches.

  If “NO” in the step S48, that is, if the calculated SUM value of the sixth area 18 does not match the SUM value copied to the second specific area of the sixth area 18 by the backup process at the time of main power shut-off, the center When the arithmetic processing unit 10 determines, the central processing unit 10 initializes the fifth region 17 which is a normal region among the regions of the volatile memory 11 as shown in step S49.

  If “YES” in the step S48, that is, if the calculated SUM value of the sixth area 18 coincides with the SUM value copied to the second specific area of the sixth area 18 by the backup process at the time of main power shut-off, the central calculation is performed. When the processing device 10 determines, the central processing unit 10 determines that the data in the sixth region 18 that is the mirror region is more accurate than the data in the fifth region 17 that is the normal region, and the process proceeds to step S50. As shown, the data stored in the sixth area 18 is copied to the fifth area 17.

  If “YES” in the step S 46, that is, if the central processing unit 10 determines that the SUM values match, or if the process of the step S 50 is performed, the central processing unit 10 as shown in a step S 51. Is the determination specific data currently stored in the first specific area of the fifth area 17 and the determination specific data associated with the first specific area of the fifth area 17 stored in the nonvolatile memory 12. Judge whether the data matches.

  If “NO” in the step S51, that is, if the central processing unit 10 determines that the unique data does not match, the central processing unit 10 performs the fifth check by performing a double check in the steps S46 and S51. It is determined that the data stored in 17 is destroyed, and the process of step S49 is performed.

If “YES” in the step S51, that is, if the central processing unit 10 determines that the unique data match, the central processing unit 10 performs the fifth check by performing a double check in the steps S46 and S51. It is determined that the data stored in 17 is correct and not destroyed, and the stored data is not initialized and is retained.

  According to such a backup device of the present invention, it is possible to determine whether or not the stored data is destroyed by double check for each area of the backup area 19 of the volatile memory 11 divided into a plurality of areas. .

  That is, whether or not the SUM value calculated by the central processing unit 10 for each area of the backup area 19 matches the SUM value stored in the second specific area at the time of power-off, the first of each area of the backup area 19 The central processing unit 10 determines whether or not the unique data stored in the specific area and the unique data stored in the nonvolatile memory 12 coincide with each other to determine whether or not there is data corruption. In addition, it is possible to provide high reliability with respect to destruction detection.

  Further, a second area 14, a fourth area 16, and a sixth area 18, which are mirror areas, are provided for each of the first area 13, the third area 15, and the fifth area 17 that are normal areas of the volatile memory 11. Therefore, even if the data in the normal area is destroyed, if the data in the mirror area is normal, the data in the mirror area can be used instead of the data in the mirror area. it can. If both the regular area and the mirror area are destroyed, they are initialized and used. However, since only the area to which the destroyed data belongs is initialized, the data to be initialized can be limited to limited ones. Speed can be improved.

  On the other hand, when data destruction occurs in an area in which particularly important data, for example, data that leads to the validity of data in the entire area of the volatile memory 11 is stored, such as the first area 13, step S35 is performed. Thus, the entire area can be initialized and used unconditionally.

  In other words, the central processing unit 10 weights the importance level for each regular area according to the intended use for the backup data stored in each area of the backup area 19, and the initial value of the backup data is based on this weighting. Determine the area to be converted. Therefore, it is possible to achieve both the reliability of backup data and the reduction of processing load.

  Furthermore, according to this embodiment, the presence / absence of data corruption is checked for each area divided for the intended use, such as the backup area 19 of the volatile memory 11, and the presence / absence of data initialization is determined for each area. Therefore, it is easy to add backup target data.

  Further, by unifying the data arranged in a specific area in the backup area 19 of the volatile memory 11 so that it is not updated after a certain specific timing, the SUM calculation of the area and the mirror area are performed. Can be distributed, and even when there is a lot of data to be backed up, the processing load can be reduced.

As described above, according to the present embodiment, the presence or absence of data destruction is matched with the determination data stored in the non-volatile memory even when the amount of data or the type of data increases, and when the main power is shut off and restored. Since the determination is performed by matching the consistency of the data SUM values in the backup area at the time, the reliability of the determination result can be improved. Also, by copying the backup data to the mirror area and duplicating it when the main power supply is shut off, even if a data destruction decision is made, the data can be recovered, so that data loss can be suppressed. Especially in in-vehicle applications where precision control of devices such as motors is possible by updating data at any time, such as in automobiles, etc., such data loss can be controlled with precision of the device. It is extremely effective for control. Furthermore, by dividing the backup area into a plurality of parts, SUM calculation and copy processing can be distributed, and the processing load can be suppressed.

  The electronic control device according to the present invention is useful for in-vehicle applications that require high processing speed even when the amount of data and the type of data are large, particularly for automobile engines.

2 Microcomputer 3 Power supply circuit 10 Central processing unit 11 Volatile memory 12 Non-volatile memory

Claims (4)

Voltage supply means for supplying a voltage from an external power supply when the main power supply is shut off;
Volatile storage means for storing backup data when the main power supply is shut off by the voltage supplied from the voltage supply means, and having unique data;
Non-volatile storage means having the same unique data as the unique data of the volatile storage means;
Control means for determining whether or not the data in the volatile storage means is destroyed when the main power is restored, and for initializing backup data in the volatile storage means when the data is destroyed,
The control means determines whether or not the value calculated based on the backup data stored in the volatile storage means coincides between when the main power is shut off and when the main power is restored, and when the main power is restored, the volatile storage means An electronic control device, wherein whether or not the backup data of the volatile storage means is destroyed is determined based on whether or not the unique data of the non-volatile storage means matches. The volatile storage means has a backup area for storing backup data, and a mirror area for storing the same backup data as the backup area,
The control means does not match the value calculated based on the backup data in the backup area when the main power is shut off and when the main power is restored, and the value calculated based on the backup data in the mirror area is when the main power is shut off. 2. The electronic control device according to claim 1, wherein the backup data in the backup area is replaced with the backup data in the mirror area when they coincide with each other when the main power is restored.   The control means holds the backup data in the backup area without being initialized when the unique data in the backup area and the unique data in the nonvolatile storage means coincide with each other when the main power is restored. Item 3. The electronic control device according to Item 2.   2. The electronic device according to claim 1, wherein the control unit determines an area in which the backup data of the volatile storage unit is initialized according to the importance of the backup data stored in the volatile storage unit. Control device.