JP2016143103A - Control device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a control device and a method thereof capable of being automatically recovered up to a reprogramming possible state using a system inside the control device even when the reprogramming of the whole region of the processing device is executed and failed halfway.SOLUTION: A double system control device using a main system processing device and a sub-system processing device duplicates and stores ROM information of a normally operable main system flash bootloader in the region manageable by the sub-system processing device before executing the reprogramming of the main system processing device. After that, the reprogramming is performed for the main system processing device, and a program update is executed for all regions including the flash bootloader of the main system FLASHROM. When the main system processing device is in a state that the reprogramming is not executable, the reprogramming is performed for the main system processing device using the ROM information of the flash bootloader stored by the above control.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a program update of a control device, and relates to a technical field of software and a control device that can perform program update again even when a program update of a main processing device in a dual control device fails.

  In the field of control devices, a dedicated control program for updating a program called a flash boot loader is required. A flash boot loader using CAN communication is currently generally used as an in-vehicle control device, and communication, download, erase (erase), and write of an internal flash memory are performed using a diagnostic protocol called reprogramming (hereinafter referred to as repro). However, the repro using CAN communication has a problem that the repro fails depending on the communication state and the power state of the control device. If repro fails, the corresponding program will be in an incomplete state and cannot operate normally. In particular, when the flash boot loader is in an incomplete state due to repro failure, it is difficult to restore the power inside the control device, and a special connection is required to shift to the boot mode from outside the control device. The wiring must be changed and restored using a dedicated tool.

  For this reason, the above flash boot loader prevents the re-repro disabled state by protecting it as an area that cannot be rewritten by repro.

JP-A-2005-115614

  However, changes to the flash boot loader are indispensable in order to support the latest technology and the latest global standards such as ISO. In the prior art, it is difficult to reliably and easily change the flash boot loader for an existing control device.

  It is an object of the present invention to provide a control capable of automatically restoring the contents of a flash boot loader within a control device to a repro-problemable state before starting the next repro when a repro failure occurs during a flash boot loader program update. It is to provide an apparatus and a method thereof.

  Before the main processor is re-proposed in the dual controller using the main processor and the sub processor, the sub processor accepts the ROM information of the main flash bootloader that can operate normally. Copy and store in advance in a manageable area. Thereafter, the main processor is re-proposed, and the program is updated in all areas including the flash boot loader of the main FLASHROM. If reprocessing of the main processing unit fails and the main processing unit becomes unable to be re-reproduced, the above boot mode is stored in the sub system processing using the ROM information of the flash boot loader stored in advance by the above control. After realizing the control of the apparatus, the main processing apparatus is reproposed.

  If a failure occurs during rewriting of the program in the entire main FLASHROM area, a special connection called a boot mode is not required from the outside of the control device, and the main processing device is restored to a re-reproposable state using the system inside the control device. Can do.

It is a block diagram of the dual system control device carrying the processing device concerning this embodiment. It is a figure which shows the structure of the main type | system | group FLASHROM which concerns on this embodiment. It is a figure which shows the structure of the sub-system FLASHROM which concerns on this embodiment. It is a flowchart which shows operation | movement of the sub-system processing apparatus which concerns on this embodiment.

Embodiments of the present invention will be described below with reference to the drawings.
The details of this embodiment will be described in the following embodiments, but normal operation is possible before the main processor is re-proposed in a dual controller using a main processor and a sub processor. ROM information of a certain main system flash boot loader is copied and stored in advance in an area manageable by the sub system processing device. Thereafter, the main processor is re-proposed, and the program is updated in all areas including the flash boot loader of the main FLASHROM. If reprocessing of the main processing unit fails and the main processing unit becomes unable to be re-reproduced, the above boot mode is stored in the sub system processing using the ROM information of the flash boot loader stored in advance by the above control. After realizing the control of the apparatus, the main processing apparatus is reproposed.

  As a result, if a failure occurs when rewriting the program in the entire main FLASHROM area, a special connection called boot mode is not required from the outside of the controller, and the main processor is restored to a re-reproproducible state using the system inside the controller. can do.

FIG. 1 is a block diagram for explaining the present embodiment.
The control device of this embodiment is a dual control device having a main processing device 001 and a sub processing device 011. The main processing unit 001 includes a CPU 002, a CAN module 003, a FLASHROM 004, a RAM 005, an external bus I / F 006, and an input / output device 007. New data and repro updates. Based on the received data and program, the main processor 001 updates the control process and the program in the FLASHROM004.

  Such data and update programs are transmitted from the external control device 021 and the repro tool 022 for periodic updates, and are transmitted in response to a reply from the main processing device 001. The communication information is transmitted with information (error detection code or error correction code) indicating the validity of the data added thereto.

  When the main processing unit 001 is activated, the CPU 002 executes the program in the storage area A2 or the storage area A3 according to the vector table stored in the storage area A1 of the FLASHROM 004 described later.

  FLASHROM004 is a non-volatile semiconductor memory that has rewritable performance as electrical characteristics and does not lose data even when the power is turned off.

  The CAN module 003 performs CAN communication with the external control device 021 and the repro tool 022, and transmits data and an update program to the CPU 002 and the FLASHROM 004.

  The sub system processor 011 includes a CPU 012, a CAN module 013, a FLASHROM 014, a RAM 015, an external bus I / F 016, and an input / output device 017, which are connected through the main system processor 001 and the input / output device 017, and the main system processor 001. And the sub system processing device 011 mutually monitor each other through the main system-sub system processing device communication line 018 to determine whether they are operating normally. And when abnormality is detected, it aims at making it transfer to fail safe mode immediately.

Further, the sub processor 011 has a function that can be reproduced only by the judgment of the CPU 012 of the sub processor 011 without making the judgment of the CPU 002 by changing the main processor 001 to the boot mode through the repro communication line 020. ing.

  FIG. 2 is a block diagram showing a storage area of the FLASHROM 004 of the main processing apparatus 001 in the present embodiment. In this embodiment, as shown in FIG. 2, the storage area of FLASHROM004 is roughly divided into four. Here, the storage area is configured in units of erase blocks depending on the erase performance of FLASHROM004.

  The storage area A1 is an area where the vector table is stored. When the main processing unit 001 is powered on, the CPU 002 first calls a power-on reset process registered in this vector table.

  The storage area A2 is an area in which the flash boot loader is stored, and the above power-on reset process exists in the flash boot loader. Further, the flash boot loader stores a program for determining two control modes, a normal operation mode and a repro mode, and a program for actually performing the repro in the repro mode. The switching of these control modes is determined as the normal operation mode when the content of the FLASHROM 004 is the same as the intended content, and is determined as the repro mode otherwise.

  The storage area A3 is an area where application programs are stored. When the flash boot loader determines that the normal operation mode is selected, the application program is executed. The storage area A4 is an area for storing application data used in the application program.

In general, due to the characteristics of FLASHROM, when data is stored, it is necessary to erase (erase) data for each block which is an erase unit and then write new data. If the program update is stopped due to the occurrence of a momentary power interruption or some reason during the erasing or writing, the contents of the FLASHROM become unintended data and the data update fails. As a result, the program at the corresponding location cannot operate normally.
Furthermore, if rewriting fails while updating the flash boot loader program, the program that performs the rewriting itself cannot operate normally, so that the repro-prohibition is impossible. Therefore, in the prior art, the storage areas A3 and A4 are the only target areas that can be updated by repro.

  In the present embodiment, for the reason described later, it is possible to recover from the situation where the re-repro is impossible without executing the control program of the main processing apparatus. Therefore, the program update can be performed on all the storage areas A1, A2, A3, and A4.

  FIG. 3 is a block diagram showing a storage area of the FLASH ROM 014 of the sub-system processing device 011 in the present embodiment. In the present embodiment, as shown in FIG. 3, the storage area of FLASHROM014 is roughly divided into five. Here, the storage area is configured in units of erase blocks depending on the erase performance of FLASHROM014.

  The storage areas B1, B2, B3, and B4 are blocks having functions corresponding to A1, A2, A3, and A4 in FIG. The storage area B5 is an area for storing ROM information obtained by copying the flash boot loader of the main processing unit 001 existing in the storage area A2.

  FIG. 4 is a flowchart of program update of the main processing unit 001 by the sub processing unit 011 in the present embodiment. This flowchart is executed after the power is turned on and after the initialization processing of the sub processor is completed. Each step of the flowchart will be described below.

  First, in step S100, the CPU 012 of the sub system processing device 011 performs mutual monitoring with the main system processing device 001 and acquires the ROM diagnosis result of the main system processing device 001.

  Next, in step S200, the main ROM is judged to be normal or abnormal. As a result, if normal, step S300 is executed. If abnormal, the process of step S500 is executed. Considering the possibility that the control program of the main processing unit 001 does not operate, the above ROM diagnosis result determination process adds a process for determining that an abnormality is detected unless a ROM diagnosis result is acquired within a predetermined time. Also good.

In S300, the difference between the ROM information in the storage area B5 of the main flash boot loader and the sub flash memory 014 is determined. As a result, if there is a difference, step S400 is executed.
In step S400, the ROM information of the flash boot loader stored in the storage area B5 of the sub system FLASH ROM 014 is copied and recorded, so that the latest ROM information is updated.

  In S500, the main system flash boot loader diagnosis result of the main system processor 001 is acquired.

In step S600, the main flash boot loader is determined to be normal or abnormal. As a result, if normal, step S300 is executed. If abnormal, the process of step S700 is executed. The determination process of the ROM diagnosis result described above is determined using the re-reprohibit notification signal line 019 or considering the possibility that the main processing unit 001 does not operate at all, and obtains the flash boot loader diagnosis result for a predetermined time. If not, a process for determining an abnormality may be added.
If it is determined in S600 that the flash boot loader is abnormal, the main processing unit 001 is in a state where re-repro is impossible, and in the worst case, the processing operation is impossible.

  Therefore, in S700, the main processor 001 is set to the boot mode using the repro communication line 020. Further, using the ROM information of the flash boot loader stored in the storage area B5 of the sub system FLASHROM 014, the repro is executed on the storage A2 area of the main system FLASHROM004 using the repro control processing of the sub system processing device. By writing the normal flash boot loader in the storage area A2, the main processing unit 001 can recover from the re-repro disabled state to the re-pro enabled state, and by restarting communication with the original re-pro tool, ROM information can be written.

  Since the above-mentioned repro uses the repro-dedicated communication line 020 between the input / output device 007 of the main processing unit 001 and the input / output unit of the sub-system processing unit 011, compared to a normal repro using CAN communication, It is possible to transmit more reliably. Even if repro failure occurs due to a momentary power interruption or the like, reprovision can be performed in the same process when the power is turned on again, so that the system as a whole cannot be reproprohibited.

  In this way, when the program rewriting of the entire main system FLASHROM fails, the main system processor can be restored to a re-programmable state under the control of the sub processor.

  As described above, the control device of this embodiment includes a CPU (002, 012) that executes program processing, and storage means (004) that can electrically rewrite the stored contents and store the control program. , 014) and a plurality of processing devices (001, 011). Then, the processing device (001, 011) is a program of the processing device (001, 011) of the processing device (001, 011) according to the diagnosis monitoring means for determining normality or abnormality from each other and the rewrite request of the control program transmitted from the external device 021 And a means for controlling update of the program from other processing devices (001, 011).

  Further, it is desirable to have a means for updating the program without limitation on the area of the storage medium 004 installed in the main processing unit 002. Further, it is desirable that the sub system processor 012 determines whether the ROM information of the program update program (flash boot loader) of the main system processor 002 is normal or abnormal. When the ROM diagnosis is normal, it is desirable to copy the program update program (flash boot loader) of the main processing unit 001 to another area and store the ROM information.

  Further, when the ROM diagnosis is abnormal, the stored program update program (flash boot loader) of the main processor 001 is stored in the program for the program update program of the main processor 001 under the control of the sub processor 011. It is desirable to update the program in the corresponding area.

Various modifications can be made to the embodiment of the present invention without being limited to the above-described contents. For example, the FLASHROM in the present embodiment may be a memory having a nonvolatile characteristic that can be reproposed on-board. The storage area B4 for copying and storing the main flash boot loader does not necessarily exist in the FLASH ROM 014, and may be stored in a memory having a non-volatile characteristic provided separately in the processing apparatus. Further, a communication method other than CAN communication capable of transmitting ROM information may be used.

001: Main system processor 002: CPU (calculator) (main system processor)
003: CAN module (main processing unit)
004: FLASHROM (main processing unit)
005: RAM (main processing unit)
006: External bus I / F unit (main processing unit)
007: Input / output device (main processing device)
011: Sub system processor 012: CPU (calculator) (sub system processor)
013: CAN module (sub system processor)
014: FLASHROM (sub processor)
015: RAM (sub processor)
016: External bus I / F unit (sub system processing device)
017: Input / output device (sub system processing device)
018: Main system-Sub system processing device communication line 019: Re-repro disabled notification signal line 020: Repro communication line 021: External control device 022: Repro tool 023: Communication line 031: Various input devices 032: Various output devices

Claims (5)

In a control device having a plurality of processing devices including a CPU that executes processing of a program and a storage unit that is electrically rewritable and stores a control program,
The processing apparatus is
Diagnostic monitoring means for determining whether each other is normal or abnormal, and
Means for updating the program of the confident processing device in accordance with the rewriting request of the control program transmitted from the external device;
A control apparatus comprising means for controlling update of a program from another processing apparatus. The control device according to claim 1 is:
A control apparatus comprising means for updating a program without limitation on an area of a storage medium mounted on a main processing apparatus among the processing apparatuses. The control device according to claim 2 comprises:
A control device, wherein a sub-system processing device of the processing devices determines whether ROM information of a program update program (flash boot loader) of the main processing device is normal or abnormal. The control device according to claim 3 is:
When the ROM diagnosis is normal, the controller updates the program update program (flash boot loader) of the main processor and copies the ROM information to another area. The control device according to claim 3 is:
When the ROM diagnosis is normal, the program update program (flash boot loader) of the main processor is copied to another area and the ROM information is stored.
When the ROM diagnosis is abnormal, the stored program update program (flash boot loader) of the main processor is transferred to the corresponding area for the program update program of the main processor under the control of the sub processor. A control device characterized by updating a program.