JP4066499B2 - Electronic control device, electronic control system, and conformity determination method - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention relates to a technique for rewriting a control program and control data stored in a nonvolatile memory capable of electrically rewriting data.
[0002]
[Prior art]
Conventionally, as disclosed in, for example, Japanese Patent Application Laid-Open No. 6-272611, as an electronic control device for controlling an automobile engine or the like, nonvolatile data that can be electrically rewritten (specifically, erasing and writing data) It has been proposed that a control program and data are stored in a volatile memory, and such control program and control data can be rewritten even after being supplied to the market.
[0003]
That is, this type of electronic control device normally executes a control process for controlling a controlled object such as an engine in accordance with a control program and control data stored in a non-volatile memory. When a rewrite device is connected and a rewrite command is transmitted from the memory rewrite device, the content of the nonvolatile memory is rewritten after following a predetermined communication procedure. The rewriting of the contents of the non-volatile memory is performed by erasing a part or all of the control program or control data stored in the non-volatile memory, and new data transmitted from the memory rewriting device to the erased memory area. This is done by writing a control program or control data.
[0004]
The memory rewriting device has a storage medium (floppy disk, hard disk, CD-ROM, etc.) for storing a new control program and control data to be rewritten, and when a predetermined operation is performed by an operator, the electronic control device After the rewrite command is transmitted, a new control program and control data stored in the storage medium are transmitted to the electronic control device. A configuration in which a plurality of control programs or control data is stored in the storage medium and a control program selected by the operator is transmitted to the electronic control device is also conceivable.
[0005]
In such an electronic control device, the control program and control data stored in the non-volatile memory can be rewritten to a new control program and control data using the memory rewriting device, so that the operation content (control content) can be arbitrarily set. This is advantageous in that it can be changed. For this reason, recently, a non-volatile memory as described above is often built in a CPU included in an electronic control unit.
[0006]
However, in an automobile, for example, it is of course between different car models, but even with the same car model, the electronic control unit performs it depending on the grade (equipment), engine type, or destination (exporting country). The content of control to be different is different. In other words, the control program and control data to be stored in the nonvolatile memory of the electronic control device are different for each control target controlled by the electronic control device.
[0007]
Therefore, in this type of electronic control device, the operator does not know that a control program or the like that is incompatible with the control target of the electronic control device is stored in the storage medium on the memory rewrite device side, or the memory rewrite device side. A control program or control data that is incompatible with the control target of the electronic control device is erroneously selected from a plurality of control programs stored in the storage medium, and is not compatible with the control target from the memory rewrite device to the electronic control device. May be sent. When such a work mistake occurs, the electronic control device cannot properly control the control target.
[0008]
For example, when rewriting a control program of an electronic control device that controls a type A engine, an operator does not know that a control program suitable for the type B engine is stored in the storage medium on the memory rewriting device side. Alternatively, if a control program that matches the type B engine is erroneously selected from among a plurality of control programs stored in the storage medium on the memory rewriting device side and rewriting is performed, electronic control The control content of the apparatus is not compatible with the type A engine that is the actual control target, and the engine does not operate or even if the engine operates, the original performance cannot be exhibited.
[0009]
For this reason, the applicant must respond to an abnormal situation prior to the execution of the control process so that appropriate measures can be taken when a control program or control data that is incompatible with the control target is erroneously written to the electronic control unit. The following method for making the process executable is considered.
[0010]
According to the method, identification information (hereinafter referred to as “data matching target identification information”) indicating a matching control target is included in the control program and control data, and the control program or control data including the identification information is stored in a nonvolatile memory. On the other hand, in the electronic control unit, identification information indicating the control target of the electronic control unit (hereinafter referred to as “control target identification information”) is stored, and prior to execution of the control process, It is determined whether or not the control target identification information matches the data matching target identification information included in the control program or control data written in the nonvolatile memory. An abnormality handling process, such as notifying that there is no error, is executed.
[0011]
According to this method, even when the control program or control data stored in the nonvolatile memory is rewritten, if the rewritten control program or control data is incompatible with the control target, the control process Prior to the execution of the process, an emergency response process is executed, and as a result, an appropriate action can be taken.
[0012]
[Problems to be solved by the invention]
However, in the above-described method, the following problem occurs when the electronic control device is replaced due to a failure or the like.
In the event of a failure of the electronic control device, the electronic control device is generally replaced with a replenishment electronic control device, and a new control program or control data is written to the replenishment electronic control device using a memory rewriting device. become. At this time, in order to determine whether or not the written control program or control data is suitable for the control target by the above-described method, the control target identification information indicating the control target to the replenishment electronic control device Must be written in advance. In other words, it is necessary to distinguish the electronic control device for replenishment that is not installed in the vehicle from the beginning of shipment according to the difference in the vehicle type as described above, or according to the difference in grade, engine type, destination, etc. . As a result, a certain replenishment electronic control unit can be replaced with an electronic control unit for controlling the type A engine, but cannot be replaced with an electronic control unit for controlling the type B engine.
[0013]
In addition, when control target identification information indicating a control target is written in advance in the replenishment electronic control device, the operator can specify control target identification information indicating a control target different from the control target of the failed electronic control device. It is also conceivable to mistakenly select and replace the stored electronic control device for supply. In this case, even if the written control program or control data matches the control target, the data match target identification information included in the control program or control data does not match the control target identification information stored in advance. For this reason, for example, an abnormality handling process such as notifying the outside that it does not match is executed.
[0014]
Considering such points, it is not preferable to store control target identification information for specifying a control target of the electronic control device before mounting on the vehicle. That is, it is desired that the replenishment electronic control device does not need to store the control target identification information, and the replenishment electronic control device is made common regardless of the difference in the control target.
[0015]
Therefore, the present invention realizes such commonality in the electronic control device, and further, when a control program or control data that is incompatible with the control target is written in the nonvolatile memory, an abnormal time prior to the execution of the control processing is obtained. The purpose is to be able to execute corresponding processing.
[0016]
[Means for Solving the Problems and Effects of the Invention]
Made to achieve the above-mentioned objectives According to the first configuration The electronic control device includes a nonvolatile memory capable of rewriting data, and normally executes a control process for controlling a predetermined control target in accordance with a control program and control data stored in the nonvolatile memory. When a memory rewrite device is connected and receives a rewrite command transmitted from the memory rewrite device, a part or all of the control program or control data stored in the nonvolatile memory is transferred to the memory rewrite device thereafter. Is rewritten to a new control program or control data transmitted from. The nonvolatile memory capable of rewriting data is generally a flash EEPROM (commonly called a flash ROM) or an EEPROM, but may be another electrically rewritable ROM.
[0017]
In the electronic control device of the present invention, the control program and the control data are created so as to include data matching target identification information that is identification information indicating a control target matching the control program and the control data. For example, data matching target identification information not related to the control content is stored at the head position of the control program and control data.
[0018]
Here, in particular, the electronic control device of the present invention is used together with an external device capable of data communication, and the electronic control device of the present invention has an identification information storage means for storing a control target of the electronic control device. Is provided. Then, the identification information transmitting unit transmits the control target identification information stored in the identification information storage unit to the external device described above. The external device receives and stores the control target identification information transmitted by the identification information transmitting means, and transmits this control target identification information to the electronic control device. Correspondingly, in the electronic control device of the present invention, the identification information receiving means receives the control object identification information transmitted from the external device, and the coincidence determining means is executed by the identification information receiving means prior to execution of the control processing. It is determined whether or not the received control target identification information matches the data matching target identification information included in the control program or control data. Based on the determination result, the abnormal time process execution means executes an abnormal time response process when the two pieces of identification information do not match.
[0019]
It is conceivable that the above-described identification information storage means stores control target identification information at the time of factory shipment, for example. In this way, the control object identification information stored in the identification information storage means is transmitted to and stored in the external device, and the above-described matching determination is performed using the control object identification information transmitted from the external device. For example, if the electronic control device is replaced due to a failure or the like, the control object identification information is not stored in the identification information storage unit, but if the control target identification information is stored in the external device, the identification information is stored. The receiving unit performs the above-described matching determination using the control target identification information transmitted from the external device.
[0020]
As an external device, for example, when an electronic control device is mounted on a vehicle, the external device is a device mounted on the vehicle. For example, an electronic control device different from the electronic control device may be adopted as the external device, and for example, an ignition key with a built-in memory device and a communication function may be adopted as the external device. Further, the above-mentioned “control target” indicates a target for which a control program or control data is different even for the same engine, such as a model A engine and a model B engine.
[0021]
As described above, in the electronic control device of the present invention, prior to the execution of the control processing, the data matching target identification information that is the identification information indicating the control target matching the control program and the control data, and the identification information indicating the control target of the electronic control device It is determined whether or not the control target identification information matches, and if not, an abnormality handling process is executed. Therefore, when the control program or control data written in the nonvolatile memory is not suitable for the control target, the abnormality handling process is executed prior to the execution of the control process.
[0022]
At this time, if the control target identification information serving as the judgment criterion is stored in the electronic control device, it is necessary to write the control target identification information to the replaced electronic control device at the time of failure, or the control target identification information has already been stored. Needs to be replaced with an electronic control device on which is written.
[0023]
Therefore, in the electronic control device of the present invention, the above-described matching determination is performed using the control target identification information stored in the external device, that is, using the control target identification information received by the identification information receiving means. . Therefore, even when the electronic control device fails and is replaced with a replenishment electronic control device, it is no longer necessary to store control target identification information in advance in the replenishment electronic control device. Before being installed, the control target of the electronic control device is not specified. As a result, for example, the electronic control device for replenishment can be made common without being distinguished by different control objects depending on the vehicle type, grade, engine type, destination, and the like.
[0024]
By the way, from the viewpoint of making the control object identification information transmitted from the external device highly reliable, for example, when the electronic control device is mounted on a vehicle, the electronic control device is not installed at the time of shipment of the vehicle from the factory. It is desirable to store the control target identification information stored in an external device.
[0025]
Therefore, in the electronic control device of the present invention, the identification information transmitting unit transmits the control target identification information stored in the identification information storage unit to the external device. As a result, highly reliable control target identification information is stored in the external device. Even if the external device is failed and replaced, if the electronic control device is not replaced, the control target identification information stored in the electronic control device is transmitted, so that the replaced external device The highly reliable control object identification information can be stored again.
[0026]
Note that the abnormal time response processing executed by the abnormal time processing execution unit described above may be, for example, processing for notifying that the control program or control data is not suitable for the control target. In this case, the operator can reliably know that the rewritten control program or control data is not compatible with the control target of the electronic control device by the notification operation of the electronic control device, and can take appropriate measures. it can. As an appropriate measure, for example, a measure for rewriting the control program or the control data again using a memory rewriting device can be cited.
[0027]
Further, the abnormality handling process executed by the abnormality process execution means may be a process that does not permit the shift to the control process. In this case, the control process is executed based on a control program or control data that is incompatible with the control target, and any adverse effects on the control target can be prevented.
[0028]
The abnormal time response processing executed by the abnormal time processing execution means is not limited to the above-described processing, but may be individual processing according to the control target. For example, when the control target is an engine, it is conceivable to perform a process of cutting the fuel to the engine and stopping the operation of the engine. In this case, the user does not drive the vehicle in a state where the engine control based on the non-conforming control program is performed, so that the safety of the user can be improved.
[0029]
By the way, in the electronic control apparatus mentioned above, it is possible that an identification information transmission means transmits control object identification information to an external device at a predetermined timing. However, when the external device is replaced due to a failure or the like, it is necessary to transmit the control target identification information to the external device as soon as possible. However, if the control target identification information is once stored in the external device, transmission of the control target identification information from the electronic control device to the external device is wasted.
[0030]
Therefore, Of the second configuration As described above, it is preferable that the identification information transmission unit transmits the control target identification information stored in the identification information storage unit to the external device when the transmission of the control target identification information is requested from the external device. In this case, the identification information transmitting means transmits the control target identification information to the external device when there is a request for transmission of the control target identification information from the external device when the external device is replaced. As a result, when the external device is replaced, the control target identification information is promptly transmitted, and there is also a waste of transmitting the control target identification information even though the control target identification information is already stored in the external device. Disappear.
[0031]
In addition, the above-described electronic control device is configured to make a coincidence determination using control target identification information transmitted from an external device. This is because, as described above, the control target identification information stored in the external device is highly reliable transmitted from the electronic control device. By the way, as long as the electronic control device is not replaced, the control target identification information stored in the electronic control device is similarly highly reliable. Therefore, Of the fifth configuration As described above, when the control target identification information can be read from the identification information storage unit, the match determination unit performs a match determination with the data matching target identification information using the control target identification information stored in the identification information storage unit. On the other hand, when the control target identification information cannot be read from the identification information storage unit, it is preferable that the control target identification information received by the identification information receiving unit is used to make a match determination with the data matching target identification information. .
[0032]
Here, the case where the control target identification information can be read from the identification target storage means is a case where the electronic control device has not been exchanged. On the other hand, the case where the control target identification information cannot be read from the identification information storage means means This is a case where a read error occurs due to a cause or a case where the electronic control device is replaced due to a failure of the electronic control device.
[0033]
In this manner, if the control object identification information stored in the identification information storage unit is used to make a match determination, the acquisition time is longer than when the control object identification information is acquired by data communication with an external device. This is advantageous in that it is shortened and is less susceptible to noise and the like.
[0034]
By the way, in the above-described electronic control device, when the external device transmits the control target identification information, the identification information receiving unit receives the control target identification information. In this case, it is conceivable that the external device transmits the control target identification information regardless of whether or not the electronic control device requires the control target identification information. At this time, when control target identification information is frequently transmitted from an external device, unnecessary transmission / reception increases.
[0035]
Therefore, Of the sixth configuration As described above, when the control target identification information cannot be read from the identification information storage unit, it is preferable to include an identification information request unit that requests the external device to transmit the control target identification information. In this case, if the control target identification information cannot be read, the identification information requesting unit requests the external device to transmit the control target identification information, and the control target identification information is transmitted from the external device in response to this transmission request. Then, the identification information receiving means described above receives the control target identification information. Therefore, there is a high possibility that the control target identification information can be received when the electronic control device requires it.
[0036]
Note that, for example, in the electronic control device for replenishment, since the control target identification information is not stored in the identification information storage unit, the control target identification information received from the external device is used every time prior to execution of the control process. It is necessary to make a coincidence judgment. Therefore, Of the seventh configuration As described above, it is desirable that the control object identification information received by the identification information receiving unit is stored in the identification information storage unit. As a result, once the control object identification information is received from the external device, the control object identification information can be read from the identification information storage means, so that it is not necessary to receive the control object identification information from the external device.
[0037]
By the way, the control program or control data stored in the non-volatile memory of the electronic control device may be mistakenly rewritten due to an operation error as described above, but the user deliberately sets the control program or control data constant, etc. It may be possible to rewrite to. For example, in an electronic control device that controls an engine, it is common to set an upper limit value of the vehicle speed in advance and perform control such as cutting fuel when the vehicle speed exceeds the upper limit value. However, at this time, the user may intentionally rewrite the preset upper limit value of the vehicle speed.
[0038]
To prevent unauthorized rewriting of control programs or control data by such users, Of the eighth configuration Thus, it is preferable that the data matching target identification information is uniquely determined from the codes constituting the control program and the control data. Here, the only thing determined from the codes constituting the control program and control data is, for example, a checksum. That is, information whose value changes even if only a part of the control program or control data is changed is set as the data matching target identification information. For example, if the data matching target identification information is used as a checksum for the control program or control data, the data target identification information is changed even when some codes are illegally rewritten, so that a mismatch judgment is made and control is executed. Predetermined processing is executed in advance. As a result, it is possible to prevent the user from intentionally rewriting the control program or control data as described above.
[0039]
When the manufacturer rewrites the control program or control data properly, execute the control process so that the checksum of the new control program and control data matches the checksum of the control program and control data before rewriting. A control program or control data may be created including dummy code that does not affect the control.
[0040]
by the way, First In addition to the configurations shown in 1-8, Of the ninth configuration As described above, the external information receiving means for receiving the external information which is identification information indicating the control target of the other electronic control apparatus transmitted from the other electronic control apparatus as the external apparatus, and the external information receiving means External information storage means for storing received external information, and external information transmission means for transmitting external information stored in the external information storage means to another electronic control device, and external to the other electronic control device It is conceivable that the apparatus can be configured to be operable.
[0041]
In this case, the external information receiving unit receives the external information indicating the control target of the other electronic control device transmitted by the identification information transmitting unit of the other electronic control device as the external device. The received external information is stored in the external information storage unit and transmitted to the external device by the external information transmission unit. As a result, the electronic control device of the present invention also operates as the external device described above with respect to other electronic control devices.
[0042]
For example, considering the two electronic control devices X and Y configured as described above, the Y electronic control device operates as an external device for the X electronic control device, and the X electronic control device is external to the Y electronic control device. It will operate as a device. That is, the X electronic control device uses the control target identification information stored in the Y electronic control device by transmitting the control target identification information indicating the control target of the X electronic control device to the Y electronic control device as an external device. On the other hand, the Y electronic control device is stored in the X electronic control device by transmitting control target identification information indicating the control target of the Y electronic control device to the X electronic control device as an external device. It is possible to make a coincidence determination using the control object identification information.
[0043]
Here, consider a case where the X electronic control device receives external information, which is identification information indicating the control target of the Y electronic control device, from the Y electronic control device as an external device.
At this time, it is conceivable that the Y electronic control device repeatedly transmits external information at a predetermined interval. By the way, considering the case where the X electronic control device is replaced, the Y electronic control device transmits external information at a relatively short interval so as to store the external information in the external information storage means of the X electronic control device as soon as possible. It is desirable to do. The reason is that if the Y electronic control device is also replaced before the external information is stored in the X electronic control device, the external information will be lost in both the Y electronic control device and the X electronic control device. . If it says so, if external information is transmitted at a very short interval, after external information is once memorize | stored in X electronic control unit, useless transmission / reception will increase.
[0044]
Therefore, Of the tenth configuration As described above, when external information is not stored in the external information storage means, it is conceivable to include external information requesting means for requesting transmission of external information to another electronic control device. Here, when the external information is not stored in the external information storage means, the case where the electronic control device is replaced due to a failure or the like as described above can be considered. In this case, the external information requesting unit requests the other electronic control device to transmit the external information. If another electronic control unit transmits external information in response to this transmission request, the external information is quickly stored, and transmission / reception as described above is eliminated.
[0045]
In addition, there is a possibility that external information transmitted from another electronic control device may not be received correctly due to the influence of noise or the like. If such a possibility becomes high, the reliability of the external information used for the coincidence determination in the Y electronic control unit, that is, the control target identification information indicating the control target of the Y electronic control unit decreases.
[0046]
Therefore, Of the eleventh configuration As described above, when the external information is received by the external information receiving means, the external information requesting means described above is configured to request retransmission of the external information, and the external information received first and the retransmission request are configured. It may be configured to include an external information storage control unit that determines whether or not the received external information matches based on the information and stores the external information in the external information storage unit when they match. For example, when the external information request means of the X electronic control device receives the external information from the Y electronic control device, it requests the Y electronic control device to retransmit the external information, and in response to this request, the Y electronic control device When the external information is transmitted again from the external information storage means, the external information storage control means of the X electronic control unit determines that the first received external information matches the external information received by requesting retransmission. If so, the external information is stored. As a result, the reliability of the control target identification information indicating the control target of the Y electronic control device stored in the X electronic control device can be improved.
[0047]
Further, consider a case where the X electronic control device transmits external information that is identification information indicating a control target of the Y electronic control device to a Y electronic control device as an external device. The external information transmission unit of the X electronic control unit may repeatedly transmit the external information of the Y electronic control unit stored in the external information storage unit to the Y electronic control unit at a predetermined interval, for example. If performed frequently, transmission / reception becomes wasteful.
[0048]
Therefore, Of the twelfth configuration As described above, the external information transmission unit may be configured to transmit the external information stored in the external information storage unit when there is a request for transmission of the external information from the external device. For example, in the case of two electronic control devices X and Y, the external information transmission means of the X electronic control device, when there is a request for transmission of external information by the Y electronic control device, stores Y electrons stored in the external information storage means. For example, external information of the control device is transmitted. As a result, the Y electronic control device can acquire the external information when the external information, that is, the control target identification information of the Y electronic control device is required.
[0049]
more than, First 1-12 Configuration In the explanation of the invention of the electronic control device, First 9-12 Of configuration Considering an electronic control device that also operates as an external device for other electronic control devices, Of the 13th configuration like, First Any of 9-12 Constitution By providing a plurality of the electronic control devices, it is possible to realize an electronic control system in which at least one other electronic control device operates as an external device for each electronic control device.
[0050]
In this case, among the plurality of electronic control devices, at least one other electronic control device operates as an external device for each electronic control device. That is, the control target identification information indicating the control target of one electronic control device is saved in at least one other electronic control device. Here, when the control object identification information of one electronic control device is saved in two or more other electronic control devices, the one electronic control device and two or more electronic control devices operating as external devices As long as they are not exchanged at the same time, the control target identification information of the electronic control device will not be lost, so that the reliability can be maintained high. Furthermore, if the control object identification information of each electronic control device is saved in all other electronic control devices, the control object identification information of each electronic control device will not be lost unless all electronic control devices are replaced at the same time. Furthermore, the reliability can be maintained high.
[0051]
DETAILED DESCRIPTION OF THE INVENTION
DESCRIPTION OF EXEMPLARY EMBODIMENTS Hereinafter, embodiments of the invention will be described with reference to the drawings.
[First Embodiment]
FIG. 1 is a block diagram showing an electrical configuration of the electronic control system 1 of the first embodiment. FIG. 1 shows an electronic control unit (hereinafter referred to as “ECU”) 10, an ignition key unit 50 as an “external device” mounted on the vehicle together with the ECU 10, and a memory rewriting device 80 connected to the ECU 10. It is shown. Here, ECU10 is mounted in a motor vehicle and controls an internal combustion engine type engine. The memory rewriting device 80 is connected to the ECU 10 when rewriting an engine control program or data built in the ECU 10.
[0052]
As shown in FIG. 1, the ECU 10 calculates an optimum control amount for the engine based on an input circuit 13 that inputs signals from various sensors that output signals according to the operating state of the engine, and signals from the input circuit 13. The CPU 11 outputs a control signal based on the calculation result, the output circuit 14 that receives the control signal from the CPU 11 and drives an actuator such as an injector or an igniter attached to the engine, and the CPU 11 performs control. The EEPROM 12 for storing necessary data and the input / output port 15 for performing serial data communication between the memory rewriting device 80 and the ignition key unit 50 are provided. The input / output port 15 is connected with a warning lamp 31 that is turned on in response to a signal from the ECU 10. For example, the warning lamp 31 may be provided on an instrument panel in the vehicle interior. Further, the CPU 11 is provided with a flash EEPROM (hereinafter referred to as “flash ROM”) 11 for storing a control program and control data necessary for controlling the engine and a power supply from a battery, even when the ignition switch of the vehicle is turned off. And a standby RAM 11b capable of holding the stored data.
[0053]
Here, the flash ROM 11a built in the CPU 11 is a nonvolatile memory capable of electrically erasing and writing data, and a control program and control data for engine control are already stored in the flash ROM 11a. . As shown in FIG. 2, the control program and control data stored in the flash ROM 11a are configured by codes (program codes, data codes). This code includes a dummy code that does not affect control. When creating a control program and control data, the code checksum is adjusted to match the control program and control data by adjusting this dummy code. The identification code indicates the type of engine to be used. This identification code corresponds to “data matching target identification information” which is identification information indicating a control target matching the control program and control data.
[0054]
The EEPROM 12 is also a nonvolatile memory that can electrically erase and write data. In the EEPROM 12 and the standby RAM 11b built in the CPU 11, an identification code indicating the type of engine controlled by the ECU 10 is stored. In the first embodiment, when the identification code is stored in both the standby RAM 11b and the EEPROM 12 as described above, the standby RAM 11b is accessed to read the identification code, and the identification code stored in the standby RAM 11b is lost, The EEPROM 12 is accessed, and the identification code stored in the EEPROM 12 is copied to the standby RAM 11b. This identification code corresponds to “control target identification information” which is identification information indicating a control target of the ECU 10. The standby RAM 11b and the EEPROM 12 for storing the identification code correspond to “identification information storage means”.
[0055]
Hereinafter, in order to distinguish between the above-described two identification codes, an identification code indicating an engine type conforming to the control program and the control data is described as an A identification code, and an identification code indicating a control target of the ECU 10 is described as a B identification code. I decided to. In the first embodiment, the identification code is set so as to distinguish between engines of different types, but is set so as to distinguish the model name, the grade of the car, the destination of the car, and the like. It may be done.
[0056]
The memory rewriting device 80 is for causing the ECU 10 to rewrite the flash ROM 11a. A new control program and control data prepared for writing to the flash ROM 11a are stored in a floppy disk, a hard disk, a CD-ROM, and a memory cartridge. I remember it. When a predetermined operation is performed by the operator, the memory rewriting device 80 transmits a rewrite command to the electronic control device, and then transmits a new control program and control data stored in the above-described storage medium to the ECU 10. The ECU 10 operates to rewrite the contents of the flash ROM 11a in response to a rewrite command from the memory rewriting device 80, as will be described later.
Here, in the same manner as the control program and control data already stored in the flash ROM 11a of the CPU 11, the new control program and control data stored in the memory rewriting device 80 are also shown in FIG. The checksum of the code constituting the data is an A identification code indicating the engine type that matches the control program and control data.
[0057]
Such a connection between the memory rewriting device 80 and the ECU 10 is performed by connecting the communication lines 92 to each other via the connection connector 91. In other words, when the connection connector 91 is fitted, bidirectional serial communication between the memory rewriting device 80 and the ECU 10 becomes possible via the communication line 92.
[0058]
The ignition key unit 50 includes an ignition key 60 and a key cylinder 70 for inserting the ignition key 60 and turning on / off an ignition switch of the vehicle. The key cylinder 70 in the first embodiment includes a communication electronic control unit (hereinafter referred to as “communication ECU”) 71, which is connected to the input / output port 15 of the ECU 10 as shown in FIG. 1. The communication line 93 is connected to the ECU 10 so as to perform bidirectional serial communication. An EEPROM 61 is mounted on the ignition key 60. The above-described communication ECU 71 of the key cylinder 70 is configured to perform wireless communication with the ignition key 60, requests the ECU 10 to transmit a B identification code, and receives the B identification transmitted from the ECU 10. The code is received and stored in the EEPROM 61 of the ignition key 60. When there is a request for transmission of the B identification code from the ECU 10, the data stored in the EEPROM 61 of the ignition key 60 is read and transmitted to the ECU 10. This operation will be described later. The configuration of data communication between the ignition key unit 50 and the ECU 10 is well known, and thus detailed description of the configuration is omitted.
[0059]
The CPU 11 of the ECU 10 configured as described above starts operating from the reset state when the ignition switch of the vehicle is turned on and an operating voltage (5 V) is supplied from a power supply circuit (not shown) in the ECU 10. When a rewrite request signal is received as a rewrite command from the memory rewrite device 80 when the operation is started, the current control program and control data stored in the flash ROM 11a are read without calling the control program in the flash ROM 11a. Then, it is rewritten with a new control program and control data transmitted from the memory rewriting device 80. By such an operation, the control program and control data stored in the flash ROM 11a of the ECU 10 are rewritten with a new control program and control data stored in the memory rewriting device 80.
[0060]
Further, the CPU 11 calls the control program in the flash ROM 11a to control the engine during normal times when the memory rewriting device 80 is not connected. In the first process of this control program, Prior to execution of the engine control process based on the control program and control data in the flash ROM 11a, it is determined whether or not the control program and control data in the flash ROM 11a are compatible with the engine type. Performs the process for handling an abnormality.
[0061]
Next, processing executed by the communication ECU 71 provided in the key cylinder 70 of the ignition key unit 50 described above will be described based on the flowcharts shown in FIGS. 3 and 4.
FIG. 3 is a flowchart showing the code request process. This process is executed at a predetermined timing such as 8 ms.
[0062]
First, in step S400, it is determined whether the code storage flag Fe is “0” or the code transmission request flag Fr is “1”. Both flags Fe and Fr take a value of “0” or “1”. When the communication ECU 71 stores the B identification code from the ECU 10 in the EEPROM 61 of the ignition key 60, the communication ECU 71 sets the code storage flag Fe to “1”. Further, the communication ECU 71 sets the code transmission request flag Fr to “1” when requesting retransmission of the B identification code in a code storage process described later. Therefore, this process determines when the B identification code from the ECU 10 is not stored in the EEPROM 61 of the ignition key 60 or when there is a request for retransmission of the B identification code to the ECU 10. If Fe = 0 or Fr = 1 (S400: YES), the process proceeds to S410. On the other hand, when Fe = 1 and Fr = 0 (S400: NO), this code request process is terminated.
[0063]
In S410, a request for transmitting the B identification code is output to the ECU 10. Thereafter, the code request process is terminated.
FIG. 4 is a flowchart showing the code storage process. This process is executed when the B identification code is received from the ECU 10.
[0064]
First, in step S500, it is determined whether or not the code storage flag Fe is “1”. As described above, the code storage flag Fe is set to “1” when the B identification code from the ECU 10 is stored in the EEPROM 61 of the ignition key 60. If Fe = 1 (S500: YES), that is, if the B identification code is already stored in the EEPROM 61 of the ignition key 60, this code storage process is terminated. On the other hand, when Fe = 0 (S500: NO), that is, when the B identification code is not stored in the EEPROM 61 of the ignition key 60, the process proceeds to S510.
[0065]
In S510, it is determined whether or not the code reception flag F1 is “0”. The code reception flag F1 is set to “1” when the B identification code transmitted from the ECU 10 is first received and stored. Therefore, this process determines a case where the B identification code from the ECU 10 has not been received even once. If F1 = 0 (S510: YES), the process proceeds to S530. On the other hand, if F1 = 1 (S510: NO), that is, if the B identification code is received for the second time or later, the process proceeds to S520.
[0066]
In S520, it is determined whether or not the previously received B identification code matches the B identification code received this time. This process confirms the occurrence of a data error due to the influence of noise or the like during data communication. If they match (S520: YES), the process proceeds to S550. On the other hand, when it does not correspond (S520: NO), it transfers to S530.
[0067]
In S530, the code transmission request flag Fr is set to “1”. As a result, an affirmative determination is made in S400 of the code request process shown in FIG. 3, and the ECU 10 is requested to retransmit the B identification code.
In S540, the B identification code received this time is temporarily stored. In the first embodiment, it is stored in the internal RAM (not shown) of the communication ECU 71. Further, the code reception flag F1 is set to “1”. Thereafter, the present code storage process is terminated.
[0068]
On the other hand, in S550 to which the process proceeds when an affirmative determination is made in S520, the received code is stored in the nonvolatile memory. In the first embodiment, the data is stored in the EEPROM 61 of the ignition key 60. Thereafter, the present code storage process is terminated.
Next, based on the flowchart shown in FIG. 5, the transmission process performed by CPU11 of ECU10 corresponding to the process performed by communication ECU71 demonstrated using the flowchart of FIG.3 and FIG.4 is demonstrated. This transmission process is executed at a predetermined timing such as 16 ms.
[0069]
First, in step S600, it is determined whether the code transmission completion flag Fs is “0” or the code transmission request flag Fr is “1”. Both of the flags Fs and Fr have a value of “0” or “1”, respectively. The code transmission completion flag Fs is set to “1” when the B identification code stored in the EEPROM 12 and the standby RAM 11b of the ECU 10 is transmitted even once. Further, the code transmission request flag Fr is set to “1” when there is a B identification code transmission request from the communication ECU 71 in S410 in FIG. 3 described above. Therefore, this process determines when the B identification code has never been transmitted, or when the B identification code is requested to be transmitted. If Fs = 0 or Fr = 1 (S600: YES), the process proceeds to S610. On the other hand, when Fs = 1 and Fr = 0 (S610: NO), this transmission process is terminated.
[0070]
In S610, it is determined whether engine speed NE = 0 and starter STA = OFF. This process is a determination process based on a signal from the sensor input via the input circuit 13, and determines whether or not the state is low in noise. If NE = 0 and STA = OFF (S610: YES), the process proceeds to S620. On the other hand, if NE ≠ 0 or STA = ON (S620: NO), this transmission process is terminated.
[0071]
In S620, it is determined whether or not the B identification code is “0”. This process determines whether the B identification code is not stored in both the standby RAM 11b and the EEPROM 12, or the B identification code cannot be read due to a failure of the standby RAM 11b. Here, if B identification code = 0 (S620: YES), this transmission process is terminated. On the other hand, if B identification code ≠ 0 (S620: NO), the process proceeds to S630.
[0072]
In S630, the B identification code is transmitted to the communication ECU 71 provided in the key cylinder 70 of the ignition key unit 50. When the communication ECU 71 receives the transmitted B identification code, the communication ECU 71 executes the code storage process shown in the flowchart of FIG. In the subsequent S630, the code transmission completion flag Fs is set to “1”, the code transmission completion flag Fs is stored in the standby RAM 11b and the EEPROM 12 of the ECU 10, and then the transmission processing is terminated.
[0073]
By the processing executed by the communication ECU 71 and the ECU 10 described above, the B identification code indicating the model of the engine controlled by the ECU 10 stored in the standby RAM 11b and the EEPROM 12 of the ECU 10 is applied to the ignition key 60 of the ignition key unit 50. It is stored in the mounted EEPROM 61.
[0074]
Next, a process executed by the CPU 11 of the ECU 10 prior to the execution of the engine control process will be described based on the flowcharts shown in FIGS. FIG. 6 is a flowchart showing a transmission request process executed by the CPU 11 of the ECU 10. As described above, this process is executed immediately after calling the control program.
[0075]
First, in the first step S100, it is determined whether or not the B identification code is “0”. In this process, as in S620 in FIG. 5, it is determined whether the B identification code is not stored in both the standby ROM 12 and the EEPROM 12, or the case where the B identification code cannot be read due to a failure of the standby RAM 11b or the like. is there. If B identification code = 0 (S100: YES), the process proceeds to S110. On the other hand, if B identification code is not equal to 0 (S100: NO), the transmission request process is terminated.
[0076]
In S110, the communication ECU 71 of the key cylinder 70 of the ignition key unit 50 is requested to transmit the B identification code. Thereafter, the transmission request process is terminated. When requesting transmission of the B identification code to the communication ECU 71, the communication ECU 71 obtains the B identification code stored in the EEPROM 61 of the ignition key 60 by performing wireless communication with the ignition key 60. The B identification code is transmitted to the ECU 10.
[0077]
Next, a reception process executed by the CPU 11 of the ECU 10 will be described based on the flowchart shown in FIG. As described above, the reception process receives the B identification code transmitted from the communication ECU 71 as a result of requesting the communication ECU 71 of the key cylinder 70 to transmit the B identification code in S110 in FIG. To do.
[0078]
First, in step S200, it is determined whether or not a signal from the communication ECU 71 input to the input / output port 15 of the ECU 10 is a start bit. This process determines the start of reception of the B identification code transmitted via the communication line 93. If it is determined here that it is a start bit (S200: YES), the process proceeds to S210. On the other hand, when it is determined that it is not the start bit (S200: NO), the determination process of S200 is repeated until the start bit is determined.
[0079]
In S210, the received signal is stored. In subsequent S220, it is determined whether or not it is a stop bit. This process determines the end of reception of the B identification code transmitted via the communication line 93. If it is determined that the bit is a stop bit (S220: YES), the stored series of received signals is stored as a B identification code in the standby RAM 11b and the EEPROM 12 in S230, and then the present receiving process is terminated. On the other hand, when it is determined that the bit is not a stop bit (S220: NO), since the reception has not been completed, the processing from S210 described above is repeated.
[0080]
Further, the coincidence determination process executed by the CPU 11 of the ECU 10 will be described based on the flowchart shown in FIG. This coincidence determination process is executed subsequent to the above-described reception process or following the transmission request process when no transmission request is made in the transmission request process.
[0081]
First, in the first step S300, it is determined whether or not the check flag XC is “1”. The check flag XC is a flag that takes either a value of “0” or “1”, and is “0” immediately after the ignition switch of the vehicle is turned on. If it is determined that XC = 1 (S300: YES), the match determination process is terminated. On the other hand, when it is determined that XC = 0 (S300: NO), the process proceeds to S310.
[0082]
In S310, it is determined whether engine speed NE = 0 and starter STA = OFF. This process is a determination process based on a signal from the sensor input via the input circuit 13, and determines whether or not the state is low in noise. If NE = 0 and STA = OFF (S310: YES), the process proceeds to S320. On the other hand, if NE ≠ 0 or STA = ON (S320: NO), this match determination process is terminated.
[0083]
In S320, an A identification code is created. As described above, the A identification code is an identification code indicating the engine type to which the control program and the control data are compatible, and is a checksum of the code constituting the control program and the control data. Therefore, this process creates a checksum from the control program and control data stored in the flash ROM 11a built in the CPU 11.
[0084]
In subsequent S330, it is determined whether or not the A identification code matches the B identification code. That is, it is determined whether or not the engine type that conforms to the control program and control data stored in the flash ROM 11a built in the CPU 11 is the same as the engine type to be controlled by the ECU 10. Here, if A identification code = B identification code (S330: YES), “1” is substituted into the check flag XC in S350, and then this match determination process is terminated. On the other hand, if A identification code ≠ B identification code (S330: NO), the warning lamp 31 connected to the input / output port 15 is turned on in S340, and then the match determination process is terminated.
[0085]
After the match determination process is completed, a control process for controlling the engine is executed based on the control program and control data.
Note that the CPU 11 of the ECU 10 that executes the processing described above corresponds to “identification information transmitting means”, “identification information receiving means”, “identification information requesting means”, “match determination means”, and “abnormality process execution means”. 5 corresponds to the processing as the identification information transmitting means, the processing of S100 and S110 in FIG. 6 corresponds to the processing as the identification information requesting means, and S200 to S200 in FIG. The process of S220 corresponds to the process as the identification information receiving unit, the process of S330 in FIG. 8 corresponds to the process as the coincidence determination unit, and the process of S340 in FIG. Equivalent to.
[0086]
Next, effects exhibited by the electronic control system 1 of the first embodiment will be described.
In the ECU 10 of the first embodiment, the checksum of the code constituting the control program and control data is an A identification code indicating the engine type that matches the control program and control data (see FIG. 2). Prior to the execution of the control process based on the program and control data, an A identification code is created from the control program and control data (S320 in FIG. 8), and the created A identification code and the model of the engine to be controlled by the ECU 10 are changed. It is determined whether or not the B identification code shown matches (S330 in FIG. 8). If they do not match (S330: NO in FIG. 8), the warning lamp 31 is turned on. (S340 in FIG. 8). Therefore, according to the ECU 10 of the first embodiment, the operator who performs rewriting by the memory rewriting device 80 does not match the control program or control data written in the flash ROM 11a built in the CPU 11 with the engine type. Can be ascertained by turning on the warning lamp 31 and appropriate measures can be taken. For example, the control program or the control data is rewritten again using the memory rewriting device 80.
[0087]
In the first embodiment, the B identification code indicating the model of the engine controlled by the ECU 10 is stored in the standby RAM 11b and the EEPROM 12 in the ECU 10 when the vehicle is shipped from the factory. The B identification code is transmitted to the ignition key unit 50 mounted on the vehicle together with the ECU 10 (S630 in FIG. 5), so that it is not only stored in the standby RAM 11b and the EEPROM 12 in the ECU 10, but also the ignition key unit. The information is also stored in the EEPROM 61 mounted on the 50 ignition keys 60.
[0088]
If the B identification code cannot be read from the standby RAM 11b (S100: YES in FIG. 6), the above-described matching determination is performed using the B identification code stored in the EEPROM 61 of the ignition key 60. As a result, even if the B identification code is not stored in the standby RAM 11b and the EEPROM 12 in the ECU 10, it can be determined that the control program or control data written in the flash ROM 11a built in the CPU 11 does not conform to the engine type. The warning lamp 31 can be turned on. Therefore, it is not necessary to previously store the B identification code in the standby RAM 11b and the EEPROM 12 of the replenishment ECU 10 that are replaced when the ECU 10 fails. That is, the type of the engine controlled by the ECU 10 before being mounted on the vehicle is not specified. As a result, the replenishment ECU 10 can be made common without being distinguished by the engine type.
[0089]
On the other hand, when the B identification code can be read from the standby RAM 11b (S100: NO in FIG. 3), the above-described matching determination is performed using the B identification code stored in the standby RAM 11b. That is, in principle, the B identification code is stored in the ECU 10, and the B identification code in the ECU 10 is used for matching determination. As a result, it takes a relatively long time for acquisition, and the number of acquisition times of the B identification code from the ignition key unit 50 that is easily affected by noise can be reduced.
[0090]
Furthermore, when the B identification code cannot be read from the standby RAM 11b (S100 in FIG. 6), the ECU 10 of the first embodiment makes a transmission request to the communication ECU 71 provided in the key cylinder 70 of the ignition key unit 50. (S110 in FIG. 6), the B identification code transmitted from the ignition key unit 50 in response to this transmission request is received (S200, S210, S220 in FIG. 7). That is, the communication ECU 71 transmits the B identification code only when there is a transmission request from the ECU 10, and the ECU 10 executes the reception process only when the transmission of the B identification code is requested. Further, the ECU 10 stores the received B identification information in the standby RAM 11b and the EEPROM 12 built in the CPU 11 in the ECU 10 (S230 in FIG. 4). Therefore, for example, after replacement of the ECU 10, if the B identification code is not stored in the standby RAM 11 b and the EEPROM 12, once the B identification code is received from the ignition key unit 50, the standby RAM 11 b and the EEPROM 12 in the ECU 10 are received. A match determination is made using the stored B identification code. As described above, the ECU 10 according to the first embodiment can reduce transmission / reception processing.
[0091]
Further, when the ignition key unit 50 is replaced due to a failure or the like and the B identification code stored in the EEPROM 61 of the ignition key 60 is lost (S400: YES), the key cylinder 70 of the ignition key unit 50 is lost. The communication ECU 71 included in the request requests the ECU 10 to transmit the B identification code (S410 in FIG. 3). Further, when the communication ECU 71 receives the B identification code for the first time (S510: YES), the communication ECU 71 requests retransmission of the B identification code and determines whether the previously received B identification code matches the retransmitted B identification code. (S520 in FIG. 4), if they match, the data is stored in the EEPROM 61 of the ignition key 60 (S550 in FIG. 4). Thus, even when the ignition key unit 50 has been replaced, a reliable B identification code is reliably stored in the EEPROM 61 of the ignition key 60. That is, in the ECU 10 of the first embodiment, the B identification code is not lost unless both the ignition key unit 50 and the ECU 10 are replaced at the same time, and the reliability of the B identification code is increased. Can be held. As a result, the reliability of the matching determination process based on the B identification code can be improved.
[0092]
In the first embodiment, the A identification information indicating the engine type compatible with the control program and control data is used as the checksum of the code constituting the control program and control data. Therefore, when a part of the control program and control data is rewritten illegally, the checksum, that is, the A identification code is changed. Therefore, it is possible to prevent the user from intentionally rewriting the control program or control data. Note that the codes constituting the control program and the control data include dummy codes that do not affect the execution of the control process as shown in FIG. Therefore, when the control program or control data is created normally, the checksum of the new control program and control data is matched with the checksum of the control program and control data before rewriting by adjusting this dummy code. Let
[0093]
Furthermore, in the ECU 10 of the first embodiment, the B identification code is stored in both the standby RAM 11b and the EEPROM 12 built in the CPU 11, and the standby RAM 11b is accessed, and the B identification stored in the standby RAM 11b is stored. When the code is lost, the B identification code stored in the EEPROM 12 is copied. As a result, the number of accesses to the EEPROM 12 with a limited number of accesses can be reduced.
[Second Embodiment]
In the first embodiment, the ignition key unit 50 is employed as an external device that stores a B identification code indicating the model of the engine that is the control target of the ECU 10. Instead of the ignition key unit 50, another ECU that is mounted on the vehicle together with the ECU 10 and controls a predetermined control object may be adopted as an external device.
[0094]
FIG. 9 is a block diagram showing an electrical configuration of the electronic control system 2 of the second embodiment. FIG. 9 shows two electronic control units (hereinafter referred to as “ECUs”) 10, 20, a memory rewrite device 80, and warning lamps 31, 32. The two ECUs 10 and 20 are mounted on the vehicle in a state where data communication is possible via the communication line 94. One ECU 10 controls the internal combustion engine type engine, and the other ECU 20 performs control of the brake device, so-called anti-skid control. The memory rewriting device 80 is connected to the ECU 10 or 20 when rewriting the program or data for engine control or brake control incorporated in the ECU 10 or 20 (in FIG. 9, it is connected to the ECU 10). In order to distinguish the two ECUs 10 and 20, the following description will be made as X-ECU10 and Y-ECU20.
[0095]
The hardware configuration of the X-ECU 10 is exactly the same as the hardware configuration of the ECU 10 in the first embodiment, and a description thereof is omitted here.
The Y-ECU 20 controls the brake device as described above, but the hardware configuration is the same as that of the X-ECU 10. That is, an input circuit 23 for inputting signals from various sensors such as a vehicle speed sensor, a CPU 21 for performing a calculation based on a signal from the input circuit 23 and outputting a control signal for brake hydraulic pressure, and a control signal from the CPU 21. An output circuit 24 that drives the actuator, an EEPROM 22 that stores data necessary for the CPU 21 to perform control, and an input / output port 25 for performing data communication between the memory rewriting device 80 and the X-ECU 10. I have. The input / output port 25 is connected to a warning lamp 32 that is turned on in response to a signal from the Y-ECU 20, and the CPU 21 includes a flash ROM 21a that stores a control program and control data necessary for controlling the brake device. A standby RAM 21b capable of holding stored data even when the ignition switch of the vehicle is turned off by supplying power from a battery is incorporated.
[0096]
As in the first embodiment, a control program and control data for engine control are already stored in the flash ROM 11a built in the CPU 11 of the X-ECU 10. As shown in FIG. 2, the control program and control data stored in the flash ROM 11a are configured by codes (program codes, data codes). This code includes a dummy code that does not affect control. When creating a control program and control data, the code checksum is adjusted to match the control program and control data by adjusting this dummy code. The identification code indicates the type of engine to be used. Hereinafter, this identification code is described as an A identification code.
[0097]
The EEPROM 12 of the X-ECU 10 and the standby RAM 11b built in the CPU 11 store an identification code indicating the type of engine controlled by the X-ECU 10. Also in the second embodiment, as in the first embodiment, the identification code is stored in both the standby RAM 11b and the EEPROM 12, and the identification code is read out by accessing the standby RAM 11b in the normal state. When the stored identification code is lost, the EEPROM 12 is accessed, and the identification code stored in the EEPROM 12 is copied to the standby RAM 11b. Hereinafter, this identification code is described as a B identification code.
[0098]
Furthermore, a control program and control data for controlling the brake device are already stored in the flash ROM 21a built in the CPU 21 of the Y-ECU 20. Like the control program and control data stored in the flash ROM 11a of the X-ECU 10, as shown in FIG. 2, the code is composed of a code including a dummy code. It is made to become the identification code which shows. Hereinafter, this identification code is described as a C identification code.
[0099]
The EEPROM 22 of the Y-ECU 20 and the standby RAM 21 built in the CPU 21 store an identification code indicating the type of brake device controlled by the Y-ECU 20. Hereinafter, this identification code is described as a D identification code. Here, the point that the EEPROM 22 is accessed when the identification code stored in the standby RAM 21b disappears is the same as in the X-ECU 10.
[0100]
In the second embodiment, the identification code is set so as to distinguish between different types of engines and brake devices, but distinguishes the vehicle type name, the vehicle grade name, the destination of the vehicle, and the like. It may be set as follows.
The memory rewriting device 80 is configured in the same manner as in the first embodiment, and the new control program and control data stored in the memory rewriting device 80 also configure the control program and control data as shown in FIG. The checksum of the code to be used is an identification code indicating the model of the engine or brake device conforming to the control program and control data.
[0101]
The CPU 11 of the X-ECU 10 and the CPU 21 of the Y-ECU 20 configured as described above are operated with the operating voltage (5 V) from the respective power supply circuits (not shown) in the X-ECU 10 and Y-ECU 20 when the vehicle ignition switch is turned on. ) Is supplied, the operation starts from the reset state.
[0102]
In the first embodiment, the communication ECU 71 of the ignition key unit 50 as an external device for the ECU 10 executes the processes shown in the flowcharts of FIGS. 3 and 4. The ECU 10 performs the processes shown in the flowcharts of FIGS. 5 to 8. Was executed.
On the other hand, in the second embodiment, the CPU 21 of the Y-ECU 20 as an external device for the X-ECU 10 is similar to the process executed by the communication ECU 71 of the ignition key unit 50 of the first embodiment. Processing, that is, processing similar to the processing shown in the flowcharts of FIGS. 3 and 4 is executed. On the other hand, the CPU 11 of the X-ECU 10 executes the same process as the process executed by the CPU 11 of the ECU 10 of the first embodiment, that is, the same process as the process shown in the flowcharts of FIGS.
[0103]
Further, in the second embodiment, the X-ECU 10 also operates as an external device for the Y-ECU 20. Accordingly, the CPU 11 of the X-ECU 10 performs the same process as the process executed by the communication ECU 71 of the ignition key unit 50 of the first embodiment, that is, the same process as the process shown in the flowcharts of FIGS. Execute. On the other hand, the CPU 21 of the Y-ECU 20 executes the same process as the process executed by the CPU 11 of the ECU 10 of the first embodiment, that is, the same process as the process shown in the flowcharts of FIGS.
[0104]
That is, in the second embodiment, the Y-ECU 20 operates as an external device of the X-ECU 10 and the X-ECU 10 operates as an external device of the Y-ECU 20. That is, the X-ECU 10 stores the B identification code indicating the model of the engine that is the control target of the X-ECU 10 in the standby RAM 11b and the EEPROM 12 of the X-ECU 10, and controls the Y-ECU 20 transmitted from the Y-ECU 20 A D identification code indicating the model of the target brake device is stored. Similarly, the Y-ECU 20 stores the D identification code indicating the control target of the Y-ECU 20 in the standby RAM 21b and the EEPROM 22 of the Y-ECU 20, and B indicating the control target of the X-ECU 10 transmitted from the X-ECU 10. The identification code is stored. As a result, when the B identification code cannot be read from the standby RAM 11b and the EEPROM 12, the X-ECU 10 makes a coincidence determination using the B identification code stored in the standby RAM 21b and the EEPROM 22 of the Y-ECU 20. Similarly, when the D identification code cannot be read, the Y-ECU 20 performs a match determination using the D identification code stored in the standby RAM 11b and the EEPROM 12 of the X-ECU 10.
[0105]
At this time, for example, when the X-ECU 10 is replaced with the replenishment X-ECU 10 due to a failure, the X-ECU 10 requests the Y-ECU 20 to transmit a D identification code (S410 in FIG. 3). When a D identification code is received from the Y-ECU 20, a retransmission is requested (S530 in FIG. 4, S410 in FIG. 3), and it is confirmed that there is no communication error due to noise or the like (S520 in FIG. 4). ), The D identification code indicating the control target of the Y-ECU 20 is stored in the standby RAM 11b and the EEPROM 12 of the X-ECU 10 (S550 in FIG. 4). Prior to the execution of the engine control process, the X-ECU 10 requests the Y-ECU 20 to transmit a B identification code indicating the control target of the X-ECU 10 (S110 in FIG. 6), and is transmitted from the Y-ECU 20 The B identification code is stored in the standby RAM 11b and the EEPROM 12 of the X-ECU 10 (S230 in FIG. 7), and this B identification code is used to determine whether the control program and control data are suitable for the control target. This is performed (S330 in FIG. 8). The same applies when the Y-ECU 20 is replaced.
[0106]
Therefore, in the case of the second embodiment, the CPU 11 of the X-ECU 10 performs “identification information transmitting means”, “identification information receiving means”, “identification information requesting means”, “matching determination means”, “processing when abnormal” It corresponds to “execution means” and also corresponds to “external information reception means”, “external information transmission means”, “external information request means”, and “external information storage control means”. 5 corresponds to the process as the identification information transmitting unit, the processes of S100 and S110 in FIG. 6 correspond to the process as the identification information request unit, and S200 to S200 in FIG. The process of S220 corresponds to the process as the identification information receiving unit, the process of S330 in FIG. 8 corresponds to the process as the coincidence determination unit, and the process of S340 in FIG. Equivalent to. Furthermore, the processing of S500 to S550 in FIG. 4 corresponds to the processing as external information storage control means, and the processing of S400 and S410 in FIG. 3 corresponds to the processing as external information requesting means. Further, the standby RAM 11b and the EEPROM 12 of the X-ECU 10 correspond to “identification information storage means” and “external information storage means”. Note that the CPU 21 of the Y-ECU 20 also executes the same processing as the CPU 11 of the X-ECU 10, and therefore has the same correspondence as described above.
[0107]
According to the electronic control system 1 of the second embodiment described above, the two ECUs 10 and 20 of X and Y have the same effects as the ECU 10 of the first embodiment.
As described above, the present invention is not limited to such an embodiment, and can be implemented in various forms without departing from the gist of the present invention.
[0108]
In the first embodiment, the ignition key unit 50 is adopted as an external device of the ECU 10, and in the second embodiment, the Y-ECU 20 is adopted as an external device of the X-ECU 10, -It is good also as a structure which employ | adopts both the ignition key part 50 and Y-ECU20 as an external apparatus of ECU10 and Y-ECU20. In this case, the B identification code of the X-ECU 10 is stored in both the ignition key unit 50 and the Y-ECU 20. Therefore, unless all of the X-ECU 10, Y-ECU 20, and ignition key unit 50 are exchanged at the same time, it is not necessary to re-input the B identification code from the outside, and the reliability of the B identification code can be further improved. For example, it is good also as a structure provided with three or more ECUs which perform operation | movement as demonstrated in the said 2nd Embodiment.
[0109]
Further, for example, in the first and second embodiments, it is determined that the control program and control data written in the flash ROM 11a built in the CPU 11 or the flash ROM 21a built in the CPU 21 are not suitable for the control target. In this case (S330: NO in FIG. 8), the warning lamp 31 is turned on via the input / output port 15 (S340 in FIG. 8), and then the control process is performed. On the other hand, when the control program and the control data are not compatible with the model of the engine to be controlled, it may be possible not to shift to the control process after the above-described match determination process. In this case, it is possible to prevent the control target from being adversely affected by executing the control process based on a control program or control data that is incompatible with the control target. Further, when the engine is a control target as in the above-described embodiment, a process of cutting fuel supply to the engine may be executed. In this case, the user does not drive the vehicle in a state where the engine control based on the non-conforming control program is performed, so that the safety of the user can be improved.
[Brief description of the drawings]
FIG. 1 is a block diagram showing an electrical configuration of an ECU according to an embodiment.
FIG. 2 is an explanatory diagram showing a configuration of a control program and control data.
FIG. 3 is a flowchart illustrating a code request process executed by an ignition key unit or an ECU according to the embodiment.
FIG. 4 is a flowchart illustrating a code storage process executed by an ignition key unit or an ECU according to the embodiment.
FIG. 5 is a flowchart showing a transmission process executed by the ECU of the embodiment.
FIG. 6 is a flowchart showing a transmission request process executed by the ECU of the embodiment.
FIG. 7 is a flowchart showing a reception process executed by the ECU of the embodiment.
FIG. 8 is a flowchart showing a coincidence determination process executed by the ECU of the embodiment.
FIG. 9 is a block diagram illustrating an electrical configuration of an electronic control system according to a second embodiment.
[Explanation of symbols]
DESCRIPTION OF SYMBOLS 1 ... Electronic control system 10 ... ECU, X-ECU
20 ... Y-ECU 11,21 ... CPU
11a, 21a ... Flash ROM 11b, 21b ... Standby RAM
12, 22 ... EEPROM 13, 23 ... Input circuit
14, 24 ... Output circuit 15, 25 ... Input / output port
31, 32 ... Warning lamp 50 ... Ignition key part
60 ... Ignition key 61 ... EEPROM
70: Key cylinder 71 ... Communication ECU
80 ... Memory rewriting device 91 ... Communication connector
92, 93, 94 ... communication line

Claims (13)

A non-volatile memory capable of rewriting data is provided. In normal times, a control process for controlling a predetermined control object is executed according to a control program and control data stored in the non-volatile memory, and an external rewrite command is issued. In the electronic control device configured to rewrite a part or all of the control program or control data stored in the nonvolatile memory to a new control program or control data transmitted from the outside when received ,
The control program and the control data is created to include data Main subject identification information is identification information indicating the control target should therefore controlled to the control program and control data,
Identification information storage means for storing control object identification information which is identification information indicating a control object of the electronic control device ;
The controlled object identification information stored in the identification information storage unit, an identification information transmission means for transmitting to the external storage device in order to store the following external storage apparatus,
Prior to the execution of the control process, identification information receiving means for requesting the control target identification information from the external device and receiving the control target identification information transmitted from the external device that has received the request ;
A matching determination means for determining whether or not the previous SL identification information receiving means data Main subject identification information included the in the control program or control data and the control object identification information received by the match,
An abnormality processing execution means for executing an abnormality handling process when the identification information is determined not to match by the matching determination means ;
When the control object identification information can be read from the identification information storage means, the match determination means performs a match determination with the data matching target identification information using the control object identification information stored in the identification information storage means. On the other hand, if the control object identification information cannot be read from the identification information storage means, the control object identification information received by the identification information reception means is used to make a match determination with the data matching object identification information. An electronic control device configured as described above .
External device: having a memory for storing the control target identification information, and configured to transmit the control target identification information stored in the memory to the electronic control device in response to a request from the electronic control device Equipment The electronic control device according to claim 1.
The electronic control device, wherein the abnormal time response processing executed by the abnormal time processing execution means is a process of notifying that the control program or control data is not suitable for the predetermined control target. The electronic control device according to claim 1 or 2,
The electronic control device, wherein the abnormality handling process executed by the abnormality process execution means is a process that does not permit the shift to the control process. The electronic control device according to any one of claims 1 to 3,
The identification information transmitting unit is configured to transmit the control target identification information stored in the identification information storage unit to the external device when the transmission of the control target identification information is requested from the external device. Electronic control device characterized. The electronic control device according to any one of claims 1 to 4 ,
And an identification information requesting unit that requests the external device to transmit the control target identification information when the control target identification information cannot be read from the identification information storage unit. The electronic control device according to any one of claims 1 to 5 ,
An electronic control device characterized in that the control object identification information received by the identification information receiving means is stored in the identification information storage means. The electronic control device according to any one of claims 1 to 6 ,
The electronic control device, wherein the data matching target identification information is uniquely determined from codes constituting the control program and control data. In the electronic control unit according to any one of claims 1 to 7 ,
further,
External information receiving means for receiving external identification information that is identification information indicating a control target of the other electronic control device transmitted from another electronic control device as the external device;
External information storage means for storing external identification information received by the external information receiving means;
External information transmission means for transmitting external identification information stored in the external information storage means to the other electronic control device,
An electronic control device configured to be operable as an external device for the other electronic control device. The electronic control device according to claim 8 .
An electronic control device comprising: external information requesting means for requesting transmission of the external identification information to the other electronic control device when the external information is not stored in the external information storage means. The electronic control device according to claim 8 or 9 ,
The external information requesting means is configured to request retransmission of the external information when the external information is received by the external information receiving means;
Further, it is determined whether the external information received first matches the external information received by the external information receiving means based on the retransmission request. An electronic control device comprising: external information storage control means for storing the external information in the external information storage means. The electronic control device according to any one of claims 8 to 10 ,
The external information transmission unit is configured to transmit the external information stored in the external information storage unit when there is a request for transmission of the external information from the other electronic control unit. . By providing a plurality of electronic control devices according to any one of claims 1 to 11, at least one other electronic control device is configured to operate as an external device for each electronic control device. Electronic control system characterized by A non-volatile memory capable of rewriting data is provided. In normal times, a control process for controlling a predetermined control object is executed according to a control program and control data stored in the non-volatile memory, and an external rewrite command is issued. If received, it is stored in the non-volatile memory. Control program written in the non-volatile memory by an electronic control device configured to rewrite a part or all of the control program or control data to a new control program or control data transmitted from the outside Or a conformity determination method for determining whether or not the control data conforms to a control object,
In order to store the control target identification information stored in the identification information storage means for storing the control target identification information, which is identification information indicating the control target controlled by the electronic control device, on the external storage device side described below, An identification information transmission procedure to be transmitted to the device;
Prior to execution of the control process, an identification information receiving procedure for requesting the control target identification information from the external device and receiving the control target identification information transmitted from the external device that has received the request;
Identification information included in the control program or control data, data adaptation target identification information indicating a control target to be controlled according to the control program and control data, and control target identification information received in the identification information receiving procedure Match determination procedure for determining whether or not match,
If both identification information matches in the matching determination procedure, it is determined that the control program or control data written in the non-volatile memory is suitable for the control target, and both identification information must match. For example, the control program or control data written in the non-volatile memory comprises a determination procedure for determining that the control program or control data is not compatible with the control target, and
In the matching determination procedure, when the control target identification information can be read from the identification information storage unit, the matching determination with the data matching target identification information is performed using the control target identification information stored in the identification information storage unit. On the other hand, if the control object identification information cannot be read from the identification information storage unit, the control object identification information received in the identification information reception procedure is used to determine whether the data match target identification information matches. I do
A conformity judgment method characterized by that.
External device: having a memory for storing the control target identification information, and configured to transmit the control target identification information stored in the memory to the electronic control device in response to a request from the electronic control device Equipment

Images