JP2013143094A - Information processor and watchdog ic - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an information processor which can detect a malfunction in a microcomputer even when there occurs a malfunction in which a clear signal continues to be output.SOLUTION: An information processor includes a time measurement circuit 100 for measuring time, and arithmetic units 11, 50 for periodically clearing the time measured by the time measurement circuit. The time measurement circuit includes measurement time change means 21, 22 for changing the variable maximum value of measurement time, and malfunction detection means 25 for detecting a malfunction in the arithmetic units if the measurement time reaches the variable maximum value.

Description

  The present invention relates to an information processing apparatus that periodically clears a timer.

A WDT (Watch Dog Timer) is known as a mechanism for monitoring that a microcomputer and an application are operating normally.
FIG. 1 is an example for explaining the operation of WDT. The WDT performs fail-safe such as resetting the microcomputer when the count value reaches the reset time or when the count value reaches zero (hereinafter simply referred to as overflow). The microcomputer executes an application that performs vehicle control and the like. The application can clear the count value before the WDT overflows by calling a function for clearing the count value of the WDT (WD control unit in the figure) or periodically executing the function (see, for example, Patent Document 1). ).

  However, the WD control unit may run out of control, fall into an infinite loop, or the application may not operate due to a malfunction of the microcomputer but only the WD control unit may operate normally (hereinafter referred to as normal clear). Called abnormal). In this case, since the normal operation of the application cannot be guaranteed, fail safe such as resetting the microcomputer is preferably performed. However, since the count value of WDT is cleared before overflow, WDT does not overflow even if the WD control unit runs away. For this reason, fail-safe processing cannot be provided to the microcomputer.

  As a technique for detecting such a normal clear abnormality, a technique for monitoring the number of clear signals within a predetermined time is considered (for example, see Patent Document 2). In Patent Document 2, when the clear signal within a predetermined time exceeds a threshold value (when the clear signal is output in a shorter cycle than a preset cycle), the program is deadlocked to the process of outputting the clear signal. A watchdog timer for detecting this is disclosed.

JP-A-02-252034 Japanese Patent Laid-Open No. 04-025948

  However, the WDT described in Patent Document 2 has a problem that an abnormality cannot be detected unless a clear signal is output in a cycle shorter than the cycle preset in the WD control unit. That is, a normal clear abnormality does not necessarily have a short cycle, and therefore a normal clear abnormality that does not have a short cycle cannot be detected.

  In Patent Document 2, sufficient monitoring is not performed as to whether the microcomputer is operating normally. When there is an abnormality in the clear signal, there is a possibility that the microcomputer also has an abnormality. Therefore, it is preferable to monitor whether the microcomputer is normal from a viewpoint other than the output of the clear signal.

  In view of the above problems, an object of the present invention is to provide an information processing apparatus that can detect an abnormality of a microcomputer even when an abnormality in which a clear signal is continuously output occurs.

  The present invention is an information processing apparatus including a time measurement circuit that measures time and an arithmetic device that periodically clears the measurement time measured by the time measurement circuit, wherein the time measurement circuit has a variable measurement time. Measurement time changing means for changing the maximum value and abnormality detection means for detecting an abnormality of the arithmetic unit when the measurement time reaches a variable maximum value.

  It is possible to provide an information processing apparatus capable of detecting an abnormality of a microcomputer even when an abnormality in which a clear signal is continuously output occurs.

It is an example of the figure explaining operation | movement of WDT. It is an example of the figure explaining the outline of the clear of WDT by a microcomputer. It is an example of a schematic block diagram of a microcomputer system or a microcomputer. It is an example of the figure which illustrates the function of WDIC typically. It is an example of the figure which illustrates the function of WDIC typically. It is an example of the functional block diagram of a microcomputer. It is an example of the flowchart figure which shows the procedure in which a microcomputer acquires a WDR signal, calculates the period of a clear signal, and outputs a clear signal. It is an example of the figure explaining clear of WDIC in case a microcomputer runs a plurality of applications. (Example 2) which is an example of the functional block diagram of a microcomputer. It is an example of the flowchart figure which shows the procedure in which a microcomputer changes the period of a clear signal and outputs a clear signal.

  Hereinafter, embodiments for carrying out the present invention will be described with reference to the drawings.

  FIG. 2 is an example of a diagram for explaining an outline of clearing the WDIC 100 by the microcomputer 50 of the present embodiment. In this embodiment, a WDIC (Watch Dog IC) 100 controls the reset time variably. The reset time is a time until the WDIC 100 overflows. Then, the WDIC 100 notifies the microcomputer 50 of the reset time by a pulse signal (hereinafter referred to as a WDR signal).

  2A and 2B show an example of the WDR signal. The WDIC 100 notifies the reset time according to the period (or the same as the frequency) of the WDR signal. When the reset time is short as shown in FIG. 2A, for example, a short period WDR signal is transmitted, and when the reset time is long as shown in FIG. 2B, for example, a long period WDR signal is transmitted.

  As shown in FIG. 2 (c), the WD control unit of the microcomputer 50 performs an operation using the period of the WDR signal and specifies the current reset time of the WDIC 100 (the reset time itself does not need to be specified), and the reset. The clear cycle is updated from the time (for example, about half of the reset time). The WD control unit transmits a clear signal to the WDIC 100 every clear period. Therefore, even if the WDIC 100 makes the reset time variable, the WD control unit can clear the WDIC 100 before the WDIC 100 overflows.

  According to the monitoring method as described above, in order for the microcomputer 50 to clear the WDIC 100, the three-stage processing of WDR signal input processing, clear signal cycle calculation, and clear signal output is normally performed. Need to be. When a normal clear abnormality that causes the WD control unit to run away occurs, at least one of the three stages of processing is often difficult. Therefore, the WDIC 100 can provide fail-safe processing for the microcomputer 50 even if a normal clear abnormality occurs such that only the WD control unit periodically outputs a clear signal.

  Further, by outputting the reset time to the microcomputer 50 with the WDR signal, the following merits are also produced. Since the count time of the WDIC 100 has temperature characteristics, the count value of the unit time varies depending on the temperature. This is because the reset time of the WDIC 100 is defined by the CR circuit, but the characteristics of the capacitor and the resistance are temperature dependent, and the count time measured by the same WDIC 100 differs by up to about 30%. For this reason, conventionally, it is necessary to provide a margin for the reset time in the period in which the microcomputer 50 clears the WDIC 100 (for example, if the reset time is 10 milliseconds, the clear period is set to 5 milliseconds in view of the margin. ).

  However, in the WDIC 100 of the present embodiment, the WDR signal is also generated using the capacitor and the resistor used in the CR circuit for measuring the reset time, so that the temperature characteristics of the reset time and the WDR signal are the same. Therefore, the microcomputer 50 does not need to set a margin for the cycle of the pulse signal calculated from the cycle of the WDR signal. This can also be said when there is a WDIC in the microcomputer (when the counter time (timer counter), the period of the pulse signal, and the clock source of the WD control unit are common).

[Configuration example]
FIG. 3 shows an example of a schematic configuration diagram of the microcomputer system 200 or the microcomputer 50 of the present embodiment. The microcomputer 50 of the present embodiment may be connected to the external WDIC 100 or may be provided inside.

  It is assumed that the microcomputer 50 or the microcomputer system 200 of this embodiment is mainly mounted on an ECU (Electronic Control Unit) of a vehicle. In-vehicle ECUs include an engine ECU, a brake ECU, a body ECU, a navigation ECU (AV / information processing ECU), a gateway ECU, and the like depending on the main functions. The microcomputer 50 or the microcomputer system 200 of the present embodiment can be mounted without being affected by the difference in ECU functions.

  3A, the microcomputer 50 includes a CPU 11, a RAM 12, and a flash memory 13 connected to the system bus 9, and a CAN controller 16 and an ADC (A / D controller) connected to the peripheral bus 10. ) 17 and I / O channel 18, and the system bus 9 and the peripheral bus 10 are connected by a bridge 15.

  The CPU 11 executes a program stored in the flash memory 13 using the RAM 12 as a working memory. The CPU 11 may be a multi-core or a single core. The program stored in the flash memory 13 includes a program (WD control unit) that clears the WDIC 100, an OS (Operating System), middleware, a device driver, and the like in addition to an application that the microcomputer 50 controls the in-vehicle device.

  The bridge 15 absorbs a difference in frequency and voltage between the system bus 9 and the peripheral bus 10 and connects a circuit connected to the system bus 9 and a circuit connected to the peripheral bus 10 so that they can communicate with each other. The CAN controller 16 is a communication circuit for communicating with other ECUs when the microcomputer 50 is mounted on the ECU. The ADC 17 converts an analog signal of a sensor connected to the microcomputer 50 into a digital signal. In addition to the ADC 17, there may be a DAC (D / A controller).

  In addition to the WDIC 100, other microcomputers, actuators, sensors, switches, and the like are connected to the I / O channel 18. From the I / O channel 18, a high signal or a low signal is output to each terminal of the WDIC 100.

  The WDIC 100 includes a counter control unit 21 and a reset unit 25. The counter control unit 21 includes a count time 22, a reset time 23, and a pulse output unit 24. Although details will be described later, the counter control unit 21 sets the reset time 23 variably and counts the count time 22. Further, the reset time 23 is cleared by receiving a clear signal from the microcomputer 50. If the clear signal is not accepted before the count time 22 reaches the reset time 23, the reset unit 25 is notified. The reset unit 25 resets the microcomputer 50 by outputting a reset signal to the reset terminal of the microcomputer 50.

  Note that a monitoring microcomputer may be arranged in place of the WDIC 100 specialized for microcomputer monitoring, and the monitoring microcomputer 50 may monitor the microcomputer 50 in the same manner as the WDIC 100.

  FIG. 4 is an example of a diagram for schematically explaining the function of the WDIC 100 of FIG. FIG. 4A is a diagram for explaining the terminals of the WDIC 100 and the reset time 23, and FIG. 4B is a diagram for explaining the pulse output unit 24.

  The WDIC 100 has a TC terminal, a WD terminal, and a RESET terminal. In addition, a power terminal, a ground terminal, and the like are omitted although omitted. The WD terminal is a terminal for inputting a clear signal for the microcomputer 50 to clear the reset time 23. The RESET terminal is a terminal for outputting a reset signal for resetting the microcomputer 50 by the WDIC 100. The TC terminal is a terminal connected to the capacitors C1 to C3 defining the reset time 23 and the resistors R1 to R3. Conventionally, a capacitor for defining the reset time 23 or a set of capacitors and resistors is connected to the TC terminal of the WDIC 100. In the WDIC 100 of this embodiment, the reset time 23 is variably set by selectively connecting the switch 1 to one of the capacitors C1 to C3 and the switch 2 to one of the resistors R1 to R3. Since there are three capacitors C1 to C3 and resistors R1 to R3 in the figure, nine reset times 23 can be defined. There may be four or more capacitors and resistors. The WDIC 100 changes the reset time 23 by, for example, switching the switches 1 and 2 periodically or randomly. Further, the control of the switches 1 and 2 can be performed by the CPU 11.

  The WDIC 100 sets the time until the capacitors C1 to C3 (or the capacitors C1 to C3 and capacitors not shown) are fully charged as the reset time 23. When the clear signal is input before the battery is fully charged, the capacitor C1 is discharged by the clear signal. When the battery is fully charged, the RESET terminal outputs a reset signal (Low signal or High signal). Thus, the reset time 23 in FIG. 3A is the combination of the capacitors C1 to C3 and the resistors R1 to R3 in FIG. 4A, and the count time 22 in FIG. 3A is the capacitor in FIG. In the charged state of C1 to C3, the reset unit 25 in FIG. 2A corresponds to the RESET terminal in FIG.

  4B notifies the microcomputer 50 of the reset time 23. The inverted output of the operational amplifier is positively fed back to the operational amplifier via capacitors C1 to C3 and resistors R1 to R3 and Rcp. Since the charging voltage of the capacitors C1 to C3 is positively fed back, the voltage of the capacitor suddenly rises during the charging process and decreases rapidly during the discharging process. By repeating this, the oscillation circuit outputs a periodic rectangular wave (pulse). This period is inversely proportional to the product of the capacitances of the capacitors C1 to C3 and the resistance values of the resistors R1 to R3 (the period f = k × 1 / CRk is a constant). Therefore, by forming the oscillation circuit of FIG. 4B using the capacitors C1 to C3 and resistors R1 to R3 selected in FIG. 4A, a pulse having a period corresponding to the reset time 23 and 1: 1. (WDR signal) can be output. As described above, the pulse output unit 24 in FIG. 3A corresponds to an oscillation circuit using the capacitors C1 to C3 and the resistors R1 to R3 in FIG.

  Next, the microcomputer 50 shown in FIG. 2B will be described. As shown in FIG. 2B, when the WDIC 100 is arranged in the microcomputer, the WDIC 100 includes a clock selection unit 31, a control register 32, a timer counter 33, a pulse output unit 34, and an internal reset unit 35. The function of the WDIC 100 is the same as that of FIG. 2A, but the implementation method is slightly different.

  FIG. 5 is an example of a diagram illustrating the function of the WDIC 100 in FIG. The control register 32 is an 8-bit register, for example, and can control the operation of the WDIC 100 bit by bit. For example, the clock (clock selection bit) selected by the clock selection unit 31, the count start / stop of the timer counter 33, the operation at the time of overflow, the presence or absence of actual overflow, and the like are registered.

  The clock selection unit 31 is supplied with, for example, eight clock signals having different periods from the frequency dividing circuit 14. The frequency divider circuit 14 divides the main clock by 1/2 to 1 / several thousand and may be arranged inside or outside the microcomputer. The clock selection unit 31 selects one clock to be supplied to the timer counter 33 based on the setting of the control register 32.

  The timer counter 33 is a counter that increases by one every time one clock is input. When the timer counter 33 overflows (for example, when it becomes 0xFFFFFFF), the internal reset unit 35 detects it. The internal reset unit 35 resets the microcomputer 50, for example. Specifically, the microcomputer 50 is reset by an external monitoring circuit (not shown), an abnormality is notified to the outside, the CPU 11 is interrupted, an abnormality process is performed, and the like.

  Therefore, in the configuration of FIG. 2B, the clock period selected by the clock selector 31 and the maximum count value (for example, 8 bits) of the timer counter 33 are the reset time 23. The number of bits that can be counted instead of the maximum count value may be controlled by the control register 32 or the like so that the reset time 23 can be adjusted more flexibly.

Then, the pulse output unit 34 outputs a WDR signal having a period proportional to the increasing speed of the timer counter 33 to the CPU 11. For example, a pulse is output as follows.
Each time the timer counter 33 increases by one, one pulse is output.
・ Each time the timer counter 33 increases by one, two pulses are output.
Each time the timer counter 33 is increased by 2, one pulse is output.
Thus, the pulse output unit 34 outputs M pulses every time the timer counter 33 increases N. Since the increasing speed of the timer counter 33 corresponds to the reset time 23 on a one-to-one basis, the cycle of the WDR signal output from the pulse output unit 34 also corresponds to the reset time 23 on a one-to-one basis.

  The pulse output unit 34 and the CPU 11 are preferably connected directly, but the pulse timing (or count value) may be notified via the system bus 9 at the output timing of the WDR signal. In any case, as in FIG. 2A, the CPU 11 can acquire the pulse of the WDR signal and calculate the cycle of the clear signal.

  In the mode as shown in FIG. 3B, the clock selection bit of the control register 32 controls the reset time 23. The value of the control register 32 is generally set by the CPU 11. However, in this embodiment, it is preferable that the WDIC (for example, the clock selection unit 31) 100 controls the control register 32 independently. By doing so, the WDIC 100 can control the reset time 23 independently of the CPU 11. Alternatively, the CPU 11 may set the value of the control register 32, but at least the CPU 11 does not use the set value of the control register 32 for calculating the cycle of the clear signal.

  In the following description, it is not particularly limited whether the microcomputer system 200 or the microcomputer 50 performs abnormality monitoring of the microcomputer 50. However, in the embodiment of FIG. 2A, the WDIC 100 is not affected even when an abnormality occurs in the application or the entire microcomputer, so that the reliability of the microcomputer 50 can be improved. In the mode of FIG. 2B, the WDIC 100 is included in one chip, which is advantageous in terms of cost and mounting space.

[Function of microcomputer]
FIG. 6 shows an example of a functional block diagram of the microcomputer 50. The microcomputer 50 is executing the application for vehicle control, for example, repeatedly performs an application with a suitable period for the vehicle-mounted apparatus to be controlled. The WD control unit 40 that clears the WDIC 100 is executed each time the application is executed, for example. When the execution time of the application is long, the WD control unit 40 is appropriately called in the middle of the application, and the WDIC 100 is cleared. Thus, since the application and the WD control unit 40 are integrated, the WDIC 100 can detect the abnormality of the application depending on whether the WD control unit 40 clears the WDIC 100 or not. If there is an abnormality in the application, there may be an abnormality in the microcomputer 50. Therefore, the abnormality in the microcomputer 50 can be detected from the abnormality in the application.

  The WD control unit 40 includes a WDR processing unit 41, a cycle calculation unit 42, and a clear unit 43. These functions are realized by the CPU 11 executing a program stored in the flash memory 13 in cooperation with hardware.

  The application periodically starts processing by a timer interrupt or the like, and calls the WD control unit 40 when the processing ends. The WDR processing unit 41 acquires a WDR signal from the WDIC 100. The WDIC 100 changes the reset time 23 with time as indicated by I to III in the figure. The upper limit value indicated by the dotted line in the figure is the maximum reset time 23 that the WDIC 100 can take, and the lower limit value is the minimum reset time 23 that the WDIC 100 can take.

  The pulse output units 24 and 34 output the WDR signal at a period corresponding to the reset time 23 and 1: 1. The WDR processing unit 41 monitors the I / O to which the WDR signal is input in the I / O channel 18 and confirms whether or not a pulse is input. Then, the confirmation result is notified to the period calculation unit 42.

The period calculation unit 42 counts the number of WDR signals per unit time. Then, the cycle of the clear signal is calculated from this number as follows, for example.
Clear signal cycle = number of WDR signals per unit time / 2
In this case, the greater the number of WDR signals per unit time (the faster the frequency), the longer the cycle of the clear signal (the slower the frequency). Moreover, you may calculate as follows.
Clear signal cycle = a × 1 / number of WDR signals per unit time In this case, as the number of WDR signals per unit time increases (the frequency becomes faster), the cycle of the clear signal becomes shorter (the frequency becomes faster). ). Note that a is a coefficient.

  How to calculate the period of the clear signal from the number of WDR signals per unit time is how the reset time 23 is reflected in the WDR signal (the shorter the reset time 23, the less the periodic wave of the WDR signal) Or whether it is short). If “reset time = period of WDR signal” is assumed, as a calculation formula, it is preferable that the period of the clear signal is less than half of the period of the WDR signal. By setting it to less than half, the microcomputer 50 will not be reset unless it is cleared twice consecutively.

  In the case of “reset time = period of WDR signal”, the maximum value of the period of the clear signal is the same value smaller than the period of the WDR signal. Further, the minimum value of the clear signal cycle is not particularly limited, but is, for example, a level that does not hinder the operation of the application. Numerically, the minimum value of the cycle of the clear signal is about 1/5 to 1/10 of the cycle of the WDR signal. The shorter the clear signal cycle, the stronger the monitoring of the microcomputer 50 can be.

  The cycle calculation unit 42 sets the calculated cycle in the clear unit 43. If the WDIC 100 does not change the reset time 23, the cycle of the clear signal is not changed. Therefore, if the already set cycle is not changed, it may not be newly set. Note that if the frequency at which the WDIC 100 changes the reset time 23 is greater than the frequency at which the period calculation unit 42 calculates the clear signal, the microcomputer 50 is reset. Therefore, the frequency at which the WDIC 100 changes the reset time 23 <the frequency at which the period calculation unit 42 calculates the clear signal is always satisfied. For this reason, even if the WDR processing unit 41 detects the pulse of the WDR signal, the pulse of the clear signal may not be changed.

  In addition, the reset time 23 is preferably changed for the monitoring of the microcomputer 50 so as to increase the number of changes that decrease as the WDIC 100 rather than periodically changing the reset time 23. In the reset time 23 of FIG. II, T1 at time t1, T4 at time t2, T3 at time t3, T2 at time t4, and T1 at time t5. Here, a change in which the reset time 23 becomes longer (from T1 at time t1 to T4 at time t2) means that monitoring of the microcomputer 50 is eased. Therefore, it is effective to shorten the change that increases the reset time 23 and to secure the change that shortens the reset time 23 for a long time. In the example shown in the figure, t5 to t2 >> t2 to t1.

  It is also effective to change the reset time 23 at random as shown in FIG. For example, when there is a problem in the WD control unit 40 but there is a problem that the cycle of the clear signal gradually changes, there is a possibility that the problem of the WD control unit 40 can be detected early by changing it randomly. In addition, since the reset time 23 changes irregularly, a certain tendency is not easily generated in the cycle calculated by the cycle calculation unit 42, and thus the accuracy that the cycle calculation unit 42 is normal increases.

  As described above, the microcomputer 50 according to the present exemplary embodiment acquires the WDR signal by the WDR processing unit 41, calculates the clear signal cycle by the cycle calculation unit 42 based on the detection result of the WDR signal, and periodically by the clear unit 43. If all clear signals are not output correctly, the microcomputer will be reset. Therefore, the WDIC 100 can detect an abnormality in which only the WD control unit 40 outputs a clear signal at a predetermined cycle even though an abnormality has occurred in the application, and can provide fail safe processing to the microcomputer 50.

[Operation procedure]
FIG. 7 is an example of a flowchart illustrating a procedure in which the microcomputer 50 acquires the WDR signal, calculates the cycle of the clear signal, and outputs the clear signal. First, the main process of FIG. 7A is executed.

  In FIG. 7A, first, the processing timing of the application arrives due to an interrupt such as a timer (S10).

  The application performs input processing necessary for calculation (S20). For example, signals such as the accelerator opening and the vehicle speed necessary for determining the fuel injection amount are acquired by a sensor detection value or CAN communication. In addition, for example, in order to perform driving support such as automatic braking, an obstacle detection result is acquired.

  Next, the WDR processing unit 41 performs a WDR input process (S30). In the WDR input processing, for example, the I / O channel 18 is requested to acquire a WDR signal, and the presence or absence of a pulse is determined from the acquisition result.

  Next, the cycle calculation unit 42 calculates the cycle of the clear signal based on the detection result of the pulse of the WDR signal (S40). The process of step S40 will be described with reference to FIG.

  Then, the application executes the application process using the detection value of the sensor acquired by the input process and the data acquired by CAN communication (S50). The application process is, for example, a process of controlling an actuator necessary for fuel injection or automatic braking, or transmitting a calculation result to another ECU through CAN communication.

  Then, the clear unit 43 performs a clear signal output process (S60). The process of step S60 will be described with reference to FIG.

FIG. 7B is an example of a flowchart illustrating a procedure in which the cycle calculating unit 42 calculates the cycle of the clear signal. In FIG. 7B, the period calculation unit 42 sets half of the number of WDR signals per unit time as the period of the clear signal (S401). That is, if a value half the number of WDR signals per unit time can be obtained, the cycle of the clear signal can be obtained. The following calculation can be considered in addition to the simple calculation of 1/2.
(I) The number of WDR signals per unit time is reduced to 1/10 and added five times.
(Ii) The number of WDR signals per unit time is reduced to 1/10, and the value is subtracted five times from the number of WDR signals per unit time.
(Iii) Reduce the number of WDR signals per unit time to 1/10 and multiply the value by 5.

  Whichever of these calculation methods is used, a value half the number of WDR signals per unit time is obtained. Therefore, instead of the cycle calculation unit 42 always calculating the cycle of the clear signal by the same calculation method, the calculation method of performing 1/2 calculation each time, and the calculation methods of (i) to (iii) You may switch in order. In this case, since the CPU can be expected to use different arithmetic units (shifters, adders, subtractors, multipliers, and dividers) in the ALU according to the calculation method, the monitoring of the microcomputer 50 can be enhanced.

  FIG. 7C is an example of a flowchart illustrating a procedure in which the clear unit 43 outputs a clear signal. This process is a process of switching the rising edge and falling edge of the clear signal at every output timing.

  First, the clear unit 43 determines whether or not the output timing of the clear signal has arrived (S601). This output timing is, for example, half the cycle of the clear signal. If it is not the output timing, it is not necessary to output a clear signal pulse, and the process ends. In this case, the process of FIG.

  When the output timing has arrived (Yes in S601), it is determined whether or not the output is already being output (S602). That is, it is determined whether or not the pulse of the clear signal is in a high state. Whether the state is the high state or the low state can be determined by holding a past control result with a flag or the like.

  When the output is ON (Yes in S602), the clear unit 43 turns the output OFF (S603). That is, since the pulse of the clear signal is in the high state, the state is changed to the low state.

  If the output is not ON (No in S602), the clear unit 43 turns the output ON (S604). That is, since the pulse of the clear signal is in the low state, the state is changed to the high state. A clear signal with a duty of 50% is obtained by the processing of S603 and S604.

  Specifically, in the embodiment of FIG. 3A, the state of the I / O channel connected to the WD terminal of the WDIC 100 may be switched from H to L (S603), and the I / O channel connected to the WD terminal of the WDIC 100 is changed. The state of the O channel may be switched from L to H (S604). 3B, the instruction to clear the timer counter 33 of the WDIC 100 is not executed (S603), and the instruction to clear the timer counter 33 of the WDIC 100 may be executed (S604).

  The clear unit 43 updates the cycle of the clear signal calculated in step S40 (S605). As a result, the pulse of the clear signal can be controlled based on the new cycle of the clear signal at the timing when FIG. 7C is executed next time. Note that this period is not always updated to a different value.

  The processing procedure in FIG. 7C is an example, and the pulse of the clear signal may be set to High at every output timing, and may be set to Low after a predetermined clock has elapsed. By doing so, the duty can be reduced without changing the cycle of the clear signal.

  As described above, the microcomputer 50 cannot clear the WDIC 100 unless the three steps of WDR signal input processing, clear cycle calculation, and clear signal output are performed, so the clear unit 43 runs out of control. Even if such a normal clear abnormality occurs, the abnormality of the microcomputer 50 can be detected.

[Modification]
FIG. 8A is an example of a diagram illustrating clearing of the WDIC 100 when the microcomputer 50 executes a plurality of applications. The CPU 11 of the microcomputer 50 may have a plurality of cores, or one core 11 may execute a plurality of applications in a time-sharing manner. Even if a plurality of applications are executed, the number of WDICs 100 is limited, and thus it is preferable that one WDIC 100 can monitor a plurality of applications.

  When the application 1 and the application 2 call the WD control unit 40, respectively, even if an abnormality occurs in either the application 1 or 2, the WDIC 100 is cleared when either one is normal. In such a case, it is preferable to shorten the reset time 23 of the WDIC 100.

FIG. 8B is an example of a diagram illustrating the reset time 23 and the processing cycles of the applications 1 and 2. The microcomputer 50 executes the applications 1 and 2 at a predetermined frequency using an interrupt such as a timer or a count value. In order for the WDIC 100 to monitor the apps 1 and 2 individually, the reset time 23 is determined as follows.
Upper limit: The reset time 23 is shorter than the time during which both the apps 1 and 2 are executed.
Lower limit: The reset time 23 is longer than the execution time of the app 1 or 2 having the longer execution time.

  Therefore, the WDIC 100 varies the reset time 23 within this restriction. By doing so, when an abnormality occurs in the application 1 or 2, the abnormality of the microcomputer 50 can be detected by overflowing the WDIC 100 before the WD control unit 40 in the normal application 1 or 2 is executed. .

  However, when the microcomputer 50 has a plurality of cores, the plurality of cores execute the apps 1 and 2 in parallel. Therefore, even if an abnormality occurs in either the app 1 or 2, the WD is called from the normal app. The control unit 40 clears the WDIC 100. In such a case, it is effective for the WDIC 100 to identify the core or application.

  FIG. 8C is an example for explaining the reset time 23 and the processing cycles of the applications 1 and 2. An AND circuit 45 is connected to the WD terminal of the WDIC 100. The clear signal of the WD control unit 40 called by the application 1 and the clear signal of the WD control unit 40 called by the application 2 are input to the two input terminals of the AND circuit 45, respectively. The AND circuit 45 latches the clear signal for a time corresponding to the frequency with which the applications 1 and 2 are executed, and clears the count time 22 when both clear signals are input to the two input terminals. By doing so, it is possible to monitor a plurality of applications or cores with one WDIC 100.

  When the WDIC 100 is arranged in the microcomputer as shown in FIG. 3B, an AND circuit 45 may be provided at the input of the timer counter 33, or a flag corresponding to the number of apps or cores is prepared. The timer counter 33 may be cleared by setting all the flags. By doing so, a plurality of applications can use the WDIC 100 of FIG. 3B as in FIG. 8C.

  Further, in the aspect in which the WDIC 100 and the microcomputer 50 are independent as shown in FIG. 3A, it is preferable that the WDIC 100 and the microcomputer 50 are arranged on the same board, that is, arranged in the same ECU. However, even if the microcomputer 50 and the WDIC 100 are arranged in separate ECUs, the same processing can be realized by connecting the two ECUs with a dedicated line. That is, the WDR signal may be transmitted from the ECU on which the WDIC 100 is mounted to the ECU on which the microcomputer 50 is mounted, and the clear signal may be transmitted from the ECU on which the microcomputer 50 is mounted to the ECU on which the WDIC 100 is mounted.

  In the first embodiment, it is necessary for the WDIC 100 to output a WDR signal to the microcomputer 50. In this embodiment, even if the WDIC 100 does not output a WDR signal to the microcomputer 50, the microcomputer 50 or the microcomputer system 200 that changes the reset time and periodically outputs a clear signal within the changed reset time will be described. To do.

  FIG. 9A shows an example of a functional block diagram of the microcomputer 50. In FIG. 9A, the description of the same part as in FIG. Since the microcomputer 50 of this embodiment does not acquire the WDR signal, the WDR processing unit is not necessary. Further, since it is not necessary to calculate the cycle of the clear signal from the cycle of the WDR signal, the cycle calculation unit is also unnecessary. Instead, a reset time table 46 and a synchronization management unit 47 are provided.

  FIG. 9B is an example of a diagram for schematically explaining the reset time table 46. In the reset time table 46, the reset time and the cycle of the clear signal are registered in association with the time. The time is, for example, “initial value”, “t1 second”, “t2 second”, “t3 second”, or “t4 second”. This initial value means a reset time when the WDIC 100 starts counting the count time. When the microcomputer 50 is activated by turning on the power or the like, the CPU 11 causes the WDIC 100 to start counting the count time. Thereafter, the WDIC 100 starts counting the count time, and changes to a predetermined reset time every time a predetermined time elapses.

In the reset time table 46, the timing at which the WDIC 100 changes the reset time, the reset time after the change, and the cycle of the clear signal are registered (frequency may be registered). In the reset time table 46, the reset time is not particularly necessary, but is described for explanation. Microcomputer 50 by referring to the reset time table 46, the initial value of the period immediately after the clear signal WDIC100 starts counting at _T 1/2 seconds, the _T 2/2 When t1 seconds elapse, t2 seconds to the elapsed _T 3/2, the _T 4/2 When the elapsed t3 seconds, it can be seen that becomes.

  Therefore, as long as the WDIC 100 and the WD control unit 40 of the microcomputer 50 can be synchronized, even if the WDIC 100 changes the reset time without the WDIC 100 outputting the WDR signal, the WD control unit clears the clear signal within the changed reset time. Can be output periodically. The synchronization management unit 47 of the WD control unit counts the operation clock with reference to the time when the WDIC 100 starts measuring the count time, and the clear signal registered in the reset time table 46 every time t1 seconds or the like elapses. Read the cycle. Since the clear unit 40 outputs a clear signal in this cycle, the count time can be cleared before overflowing even if the reset time is changed.

  Note that if the synchronization manager 47 changes the cycle of the clear signal based on the reset time table 46 with the time when the WDIC 100 starts counting as a reference, there is a possibility that the deviation from the reset timing of the reset time of the WDIC 100 becomes large. is there. Therefore, it is effective for the synchronization management unit 47 to cause the WDIC 100 to periodically reset the reset time to the initial value. In this way, the difference between the change timing of the WDIC 100 and the change timing of the synchronization management unit 47 can be maintained within a certain value.

[Operation procedure]
FIG. 10 is an example of a flowchart illustrating a procedure in which the microcomputer 50 outputs the clear signal by changing the cycle of the clear signal.

  First, the processing timing of the application arrives due to an interrupt such as a timer (S10).

  The application performs input processing necessary for calculation (S20). For example, signals such as the accelerator opening and the vehicle speed necessary for determining the fuel injection amount are acquired by a sensor detection value or CAN communication. In addition, for example, in order to perform driving support such as automatic braking, an obstacle detection result is acquired.

  Next, the synchronization management unit 47 performs synchronization processing (S31). The synchronization process is a process for determining the cycle of the clear signal based on the operation clock. The synchronization management unit 47 reads from the reset time table 46 the period of the clear signal associated with the time counted based on the operation clock. In this embodiment, it is not necessary to calculate the period of the clear signal.

  Then, the application executes the application process using the detection value of the sensor acquired by the input process and the data acquired by CAN communication (S50). The application process is, for example, a process of controlling an actuator necessary for fuel injection or automatic braking, or transmitting a calculation result to another ECU through CAN communication.

  Then, the clear unit 43 performs a clear signal output process (S60). The processing in step S60 is as shown in FIG. 10B, but the description is omitted because it is the same as FIG. 7C.

  As described above, the microcomputer 50 of this embodiment can periodically output a clear signal within the changed reset time even if the WDIC 100 does not output a WDR signal to the microcomputer 50.

21 counter control unit 22 count time 23 reset time 24, 34 pulse output unit 25 reset unit 31 clock selection unit 32 control register 33 timer counter 35 internal reset unit 40 WD control unit 41 WDR processing unit 42 period calculation unit 43 clear unit 46 reset Time table 47 Synchronization management unit 50 Microcomputer 100 WDIC

Claims (10)

An information processing apparatus having a time measurement circuit that measures time and an arithmetic device that periodically clears the measurement time measured by the time measurement circuit,
The time measuring circuit includes a measuring time changing means for changing a variable maximum value of the measuring time;
An information processing apparatus comprising: an abnormality detection unit configured to detect an abnormality of the arithmetic device when the measurement time reaches a variable maximum value. The measurement time changing means notifies the arithmetic unit of the variable index or the correlation index correlated with the variable maximum value,
The arithmetic device, from the variable maximum value or the correlation index, within a variable maximum value of the measurement time, a cycle determination means for determining a cycle that can clear the measurement time,
The information processing apparatus according to claim 1, further comprising: a time clear unit that clears the measurement time for each cycle determined by the cycle determination unit. The measurement time changing means notifies the variable maximum value of the measurement time by the period or frequency of the pulse signal,
The period determining means calculates a period or frequency of the pulse signal, and determines a period for clearing measurement time from the calculated period or frequency.
The information processing apparatus according to claim 2. The time measuring circuit and the arithmetic unit are arranged on separate chips,
The time measurement circuit is a watchdog IC, and the arithmetic unit is a microcomputer.
The information processing apparatus according to claim 3. The measurement time changing means defines the variable maximum value of the measurement time by combining the capacitance of the capacitor and the resistance value of the resistor, and oscillates using the combination of the capacitor and the resistor used to define the variable maximum value. Outputting the pulse signal whose period is determined by a circuit;
The information processing apparatus according to claim 4.   4. The information processing apparatus according to claim 3, wherein the time measuring circuit and the arithmetic unit are arranged in the information processing apparatus as one microcomputer. The abnormality detection means measures the measurement time by counting the divided operation clock,
The measurement time changing means changes the variable maximum value by changing a frequency dividing ratio of the operation clock, and generates the pulse signal having a period or frequency proportional to the increase rate of the count value of the operation clock.
The information processing apparatus according to claim 6. The measurement time changing means changes the measurement time so that the period during which the variable maximum value of the measurement time largely changes is shorter than the period during which the variable maximum changes periodically, omission, or less.
The information processing apparatus according to claim 1, wherein the information processing apparatus is an information processing apparatus. The arithmetic device has a table in which the measurement time changing means changes the variable maximum value of the measurement time and a table in which the period or frequency of the pulse signal that clears the measurement time after the change is registered,
The period determining means reads the period or frequency for clearing the measurement time from the table without determining the period that can clear the measurement time from the variable maximum value or the correlation index,
The information processing apparatus according to claim 1, wherein the time clear unit clears the measurement time at each cycle or frequency read by the cycle determination unit. A watchdog IC that monitors a microcomputer that periodically clears the measurement time,
A time measuring means for measuring the measurement time;
A measuring time changing means for changing the variable maximum value of the measuring time;
A watchdog IC comprising: an abnormality detection means for detecting an abnormality of the microcomputer when the measurement time reaches the variable maximum value.

Images