JP2012230637A - Program group - Google Patents

Abstract

PROBLEM TO BE SOLVED: To reliably supply a defined watchdog signal when switching from a boot program to a basic program takes place.SOLUTION: While boot processing is being executed, the signal level of a WD signal is reversed each time a WD count value reaches a WD threshold THw1 (i.e. a WD period elapses), and while normal processing is being executed, the signal level of the WD signal is reversed each time the WD count value reaches a WD threshold THw2 (i.e. the WD period elapses). At the timing of switching from boot processing to normal processing, the initial value of the WD count value is set to such a value that reaches the WD threshold THw2 when an initial offset time elapses, on the basis of inherited information.

Description

  The present invention relates to a program group executed by a control device to be monitored by a watchdog function.

Conventionally, a watchdog timer (WDT) is known as a technique for monitoring program runaway (see, for example, Patent Document 1).
The watchdog timer is configured to be timed up when a certain time (upper limit allowable time) elapses. The timer is reset by a watchdog (WD) signal from a control device to be monitored, and the watchdog signal When the timer stops and the timer expires, a message to that effect is output to the outside.

  In recent years, software having a structure in which various application programs and a basic program (such as an OS) that controls execution of the application programs are separated is known as software installed in a microcomputer.

  For example, in the field of in-vehicle programs, an AUTOSAR software platform has been proposed by AUTOSAR (AUTomotive Open System ARchitecture) in order to standardize automobile software as parts.

  In this AUTOSAR software platform, a hardware-independent application program (AUTOSAR Software) is provided on BSW (Basic Software) which provides various functions (OS, communication, memory management, diagnosis, ECU state management, etc.) to the application program. It is configured to work with. In such a system, the process of outputting a WD signal is usually realized as a function of a basic program (BSW or the like).

JP-A-4-190433

  By the way, in a system in which an application program operates on such a basic program, before starting the basic program, the system operates without assuming the basic program, and boots that execute hardware initialization, BSW startup, and the like. You need to run the program.

  If the execution time of the boot program exceeds the upper limit allowable time of the watchdog timer, it is necessary to execute processing for outputting the WD signal also in the boot program.

  However, since the WD process provided by the boot program is independent of the WD process provided by the basic program, a continuous WD signal is sent to the monitoring device when switching from the boot program to the basic program. There was a problem that could not.

  In particular, when the lower limit allowable time is defined for the transmission interval of the WD signal, if the WD signal is transmitted at an interval equal to or lower than the lower limit allowable time, the WD signal is ignored, and the interval is within the upper allowable time. There is a possibility that the watchdog timer may time out despite sending the WD signal.

In addition, since the conventional apparatus described in Patent Document 1 does not assume the existence of a basic program, even if the technique is applied, the above-described problem cannot be solved.
In order to solve the above problems, an object of the present invention is to ensure that a specified watchdog signal can be supplied even when a boot program is switched to a basic program.

  In order to achieve the above object, the present invention provides a monitoring device that outputs an abnormality detection signal when a watchdog signal input at an interval within a preset allowable monitoring period is interrupted. On the other hand, the present invention relates to a program group executed by the control device, with a device to be monitored by the monitoring device as a control device by outputting a watchdog signal.

  The program group of the present invention includes a basic program having at least a function for controlling the execution of various application programs, and a boot program for executing a process for starting the basic program when the control device is started. At least a process of transmitting a watchdog signal at an interval of is performed.

  The basic program is configured to take over at least timing information related to the next transmission timing of the watchdog signal from the boot program at the time of activation.

  According to the program group of the present invention configured as described above, the basic program determines the output timing of the watchdog signal to be output first based on the timing information inherited from the boot program. The watchdog signal can be output at intervals within the monitoring allowable period from the watchdog signal output last.

  Note that the timing information may specifically be information representing an elapsed time since the last transmission of the watchdog signal, or information representing a remaining time until the next transmission.

  In addition, when the basic program is configured so as to be able to cope with an arbitrary monitoring allowable period, the information handed over from the boot program to the basic program may include information for specifying the monitoring allowable period.

  Further, when the monitoring device is configured to determine that the watchdog signal is interrupted when the signal level of the watchdog signal is the same level continuously for the monitoring allowable period or longer, the boot program is a basic program. The information to be taken over may include information indicating the signal level of the watchdog signal.

The block diagram which shows the structure of the principal part of a vehicle-mounted control apparatus. Explanatory drawing which shows the relationship between the count value of a down counter, and various parameters. Explanatory drawing which shows the content of the area | region ensured in RAM. The flowchart which shows the content of the watchdog process. The flowchart which shows the content of a boot process. Explanatory drawing which shows the state of the WD signal and timer interruption at the time of the switch from a boot process to a normal process. Explanatory drawing which shows the change of the WD count value at the time of switching from a boot process to a normal process. Explanatory drawing which shows the relationship between the switching timing from the boot process in a modification to a normal process, and the waveform of a WD signal. The flowchart which shows the content of the boot process in a modification.

Embodiments of the present invention will be described below with reference to the drawings.
<Overall configuration>
FIG. 1 is a block diagram showing a configuration of a main part of an in-vehicle control device 1 to which the present invention is applied.

  As shown in FIG. 1, the in-vehicle control device 1 is based on a control unit 3 that executes various processes assigned to the device and a watchdog signal (hereinafter referred to as “WD signal”) supplied from the control unit 3. And a monitoring unit 5 that monitors the operation state of the control unit 3.

<Monitoring unit>
The monitoring unit 5 is composed of a watchdog timer composed of a self-running down counter.
Here, FIG. 2 is an explanatory diagram showing the relationship between the count value of the down counter and various parameters. Hereinafter, the operation of the monitoring unit 5 will be described with reference to FIG.

  When a WD signal is input to the monitoring unit 5 (watchdog timer), the count value of the down counter is a value M (M = Tu / Tcy, Tcy corresponding to the preset upper limit allowable time Tu). In addition, when the count value of the down counter becomes zero, that is, when the watchdog timer times out, the abnormality detection signal (warning notification) is output.

  However, in the present embodiment, the WD signal input at an interval shorter than the preset lower limit allowable time Tl (<Tu) is ignored, that is, the presetting of the count value by the WD signal is prohibited. Yes.

  In other words, the down counter is preset only when the interval from the lower limit allowable time Tl to the upper limit allowable time Tu is the monitoring allowable period and the input interval of the WD signal is within the monitoring allowable period.

  Further, an intermediate value between the lower limit allowable time Tl and the upper limit allowable time Tu is set to be a WD cycle Tw (= (Tl + Tu) / 2) that defines a transmission interval of the WD signal transmitted from the control unit 3. Yes.

<Control unit>
Next, the control unit 3 includes a known microcomputer mainly composed of a CPU, a ROM, and a RAM, and includes at least an interrupt timer for generating a timer interrupt for the CPU.

  As shown in FIG. 1, the software executed in the control unit 3 includes various application programs on BSW (Basic Software) and RTE (Run Time Environment) standardized as an AUTOSAR (AUTomotive Open System ARchitecture) software platform. (AUTOSAR Software) is configured to operate.

  Further, when the control unit 3 is activated (when the power to the vehicle-mounted control device 1 is turned on), a boot program for initializing hardware is activated, and the BSW is activated by this boot program. .

  As shown in FIG. 3, the RAM stores an area for storing takeover information transferred from the boot program to the BSW (hereinafter referred to as “takeover information storage area”), and a count value for transmitting a WD signal (hereinafter referred to as “WD count value”). ”) Is stored at least (hereinafter referred to as“ WD count value storage area ”). Further, the takeover information storage area includes a WD cycle for specifying the transmission cycle of the WD signal, an initial signal level for specifying the initial value of the signal level of the WD signal, and an initial offset time for specifying the timing for transmitting the first WD signal. There is at least an area to store.

<WD processing>
Here, the contents of the WD process activated by the timer interruption will be described with reference to the flowchart shown in FIG. Hereinafter, the interrupt period of the timer interrupt is represented by Tp. However, the interrupt cycle Tp may be different between the timer interrupt set by the boot program and the timer interrupt set by the BSW. Further, the interrupt timer for generating a timer interrupt for starting the WD process may be different between the boot program and the BSW.

  When this processing starts, first, in S110, the WD count value is incremented, and in subsequent S120, whether or not the WD count value is greater than a threshold (WD threshold) THw (= Tw / Tp) corresponding to the WD cycle Tw. If the WD count value is equal to or less than the WD threshold value THw, the present process is terminated.

On the other hand, if the WD count value is larger than the threshold value, an error check is executed in S130.
Specifically, in this error check, an abnormality of the storage device (ROM or RAM) (when information stored in the storage device is made redundant for abnormality confirmation and cannot be matched), an abnormality of the CPU ( CPU runaway due to undefined instructions, etc.), load abnormalities (with a mechanism that can measure the CPU processing load, etc., when the load exceeds the expected value), sequence abnormalities (instructions executed in a processing order different from normal operation) Etc.).

  In S140, it is determined whether or not an error is detected as a result of the error check. If no error is detected, the signal level of the WD signal is inverted (a WD signal is transmitted) in S150, and WD is transmitted in S160. The signal level of the signal is stored, and the process proceeds to S170. On the other hand, if it is determined in S140 that an error has been detected, the process proceeds to S170 without executing S150 and S160.

In S170, the WD count value is reset, and this process ends.
That is, by this process, an error check is performed every WD cycle Tw, and when no error is detected, a WD signal is output (inverted signal level) and an error is detected, or for some reason When the WD process itself is not performed, the output of the WD signal is stopped.

<Boot process>
Next, the contents of the process (boot process) realized by the boot program will be described with reference to the flowchart shown in FIG.

  As shown in FIG. 5, when this process is started, first, in S210, an initialization process for initializing the hardware configuring the control unit 3 is executed. In this initialization process, in addition to the memory check, the CPU and various peripheral devices (not shown) are initialized. Among the initial settings are initialization of the port that outputs the WD signal (here, the signal level is set to high level), initialization of the WD count value (here, zero clear), interrupt timer (timer interrupt timer The setting of the interrupt period Tp) and the permission of the timer interrupt are included at least. By these initial settings, the WD process is started at a constant period Tp.

Here, it is assumed that a timer interrupt occurs one or more times until the initialization process executed in S210 is completed, and accordingly, the WD process is also executed one or more times.
In subsequent S220, a takeover information setting process for setting information to be taken over from the WD process executed by the boot program to the WD process executed by the BSW is executed.

  Specifically, a preset fixed value is set as the WD cycle Tw, the signal level stored in S160 of the WD process is set as the initial signal level, and the timer interrupt cycle is set to the WD count value as the initial offset time. The values obtained by subtracting the elapsed time obtained by multiplication (the elapsed time since the last transmission of the WD signal) from the WD cycle Tw are stored in the takeover information storage area.

Finally, in S230, the BSW is activated and this process is terminated.
<BSW initialization processing>
Next, a BSW initialization process executed when the BSW is activated will be described.

  In the BSW initialization process, a process for setting the operating environment of the BSW is performed. The processing includes at least initial setting of information necessary for the WD processing based on resetting of the interrupt timer (timer interrupt interval Tp) and the takeover information stored in the takeover information storage area. It is.

  Also, in the initial setting of information necessary for the WD processing, the initial value of the WD count value (= initial offset time / interrupt cycle) is set based on the initial offset time and the interrupt cycle, and the WD cycle Tw and the interrupt cycle. Setting of the WD threshold value THw (= Tw / Tp) based on Tp, storing the initial signal level as the current signal level of the WD signal, and the like are performed.

After such BSW initialization processing, normal processing for controlling the operation of various application programs is started.
<Effect>
FIG. 6 is an explanatory diagram showing a state of a WD signal and a timer interrupt at the time of switching from boot processing to normal processing (processing by BSW), and FIG. 7 is an explanation showing a change in the WD count value at the same time of processing switching. FIG.

  Here, the timer interrupt set by the boot program is represented by Tp1, the timer interrupt set by the BSW initialization process is represented by Tp2, and the WD based on the interrupt cycle Tp1 The threshold THw is represented by THw1 (= Tw / Tp1), and the WD threshold THw based on the interrupt period Tp2 is represented by THw2 (= Tw / Tp2).

  As shown in FIGS. 6 and 7, while the boot process is being executed, the signal level of the WD signal is inverted every time the WD count value reaches the WD threshold value THw1 (that is, the WD period elapses), and the normal process is performed. Is being executed, the signal level of the WD signal is inverted every time the WD count value reaches the WD threshold value THw2 (that is, the WD cycle elapses).

  However, when switching from boot processing to normal processing, the WD count value is reset to a value that reaches the WD threshold value THw2 when the initial offset time elapses based on the takeover information. When the WD count value reaches the WD threshold value THw2, the WD cycle has elapsed since the previous output of the WD signal (inversion of the signal level).

Therefore, according to the in-vehicle control device 1, it is possible to output the WD signal at the prescribed WD cycle even when the boot process is switched to the normal process.
<Correspondence with Invention>
In the above embodiment, the monitoring unit 5 is the monitoring device, the control unit 3 is the control device, the BSW is the basic program, the initial offset time is the timing information, the WD period is the information specifying the monitoring allowable period, and the initial signal level is the watchdog signal This corresponds to information indicating the signal level.

<Other embodiments>
As mentioned above, although one Embodiment of this invention was described, this invention is not limited to the said embodiment, In the range which does not deviate from the summary of this invention, it is possible to implement in various aspects.

  For example, in the present embodiment, both the upper limit allowable time Tu and the lower limit allowable time Tl are defined in the monitoring unit 5, but when the lower limit allowable time Tl is not defined, after switching from the boot process to the normal process, The WD signal may be output immediately and the WD count value may be reset. In this case, the initial offset time can be omitted from the takeover information. FIG. 8 is an explanatory diagram showing the relationship between the process switching timing and the waveform of the WD signal in this case.

  In the above embodiment, the timer interrupt is permitted by the boot process and the WD process is executed by the timer interrupt. For example, there is no change in the execution time of the boot process, and the process is always executed at a fixed time. In such a case, the WD signal may be output during the boot process without using a timer interrupt.

In this case, as illustrated in FIG. 9, the processing of S211 to S213 may be executed instead of S210 in the boot processing illustrated in FIG. 5.
That is, initialization processing A is executed in S211, and thereafter, a WD signal is output in S212, and initialization processing B is executed in subsequent S213. Hereinafter, S220 and S230 are the same as in the above embodiment.

  However, the initialization processes A and B are obtained by dividing the process of S210, and the initialization process A is set so that the processing time becomes the WD cycle Tw. Here, it is assumed that the processing time of the initialization process B is shorter than the WD cycle Tw, but (K−1) × Tw <(processing time of the entire initialization process) <K × Tw, If K is a positive integer greater than or equal to 2, the initialization process may be divided into K and a WD signal may be output between the divided processes.

  In the above embodiment, the initial offset time, that is, the remaining time until the next transmission is used as information for specifying the timing for transmitting the WD signal next, but the time elapsed since the last transmission of the WD signal was used. You may make it use time.

  DESCRIPTION OF SYMBOLS 1 ... Vehicle-mounted control apparatus 3 ... Control part 5 ... Monitoring part

Claims (4)

When the watchdog signal input at an interval within a preset allowable monitoring period is interrupted, the watchdog signal is output to the monitoring device that outputs an abnormality detection signal, and the control is the monitoring target of the monitoring device A group of programs executed by the device,
A basic program having at least a function of controlling execution of various application programs;
A boot program for executing processing for starting the basic program at the time of starting the control device;
Consists of
The boot program and the basic program both execute at least a process of transmitting the watchdog signal at intervals within the monitoring allowable period,
The group of programs, wherein the basic program takes over at least timing information related to the next transmission timing of the watchdog signal from the boot program at the time of startup.   2. The program group according to claim 1, wherein the timing information is information indicating either an elapsed time since the last transmission of the watchdog signal or a remaining time until the next transmission. 3.   3. The program group according to claim 1, wherein the information inherited from the boot program to the basic program includes information for specifying the monitoring allowable period. 4. The monitoring device determines that the watchdog signal is interrupted when the signal level of the watchdog signal is the same level continuously for the monitoring allowable period or longer,
4. The program group according to claim 1, wherein the information inherited from the boot program to the basic program includes information indicating a signal level of the watchdog signal. 5. .

Images