JP4864056B2 - Control device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To avoid a failure in system boot even when an abnormality occurs in initialization processing during a system reset. <P>SOLUTION: A controller with a plurality of function achieving means for achieving the same function includes a switching means for selecting, by switching, the function achieving means, wherein the switching means selects through a switching operation the function achieving means to be used from among the plurality of function achieving means during booting and during rebooting after occurrence of an abnormality, and selects a different function achieving means during next booting if any abnormality in the selected function achieving means is found. The function achieving means may be a program executed by a microcontroller provided in the controller, or a core of a CPU provided in the microcontroller. <P>COPYRIGHT: (C)2010,JPO&amp;INPIT

Description

  The present invention relates to a control device of a system that controls an actuator, and more particularly, to a control device incorporating a microcontroller.

  In an automobile engine control apparatus, the amount of fuel and the injection timing are controlled based on an input such as a crank angle sensor signal. Engine control requires advanced control based on a large amount of information as it becomes more sophisticated. In recent years, an engine control device has a built-in microcontroller (hereinafter referred to as “microcomputer”), and a program in which processing procedures are written in advance is stored in a ROM (read only memory). In addition, when multiple microcomputers are installed, or when there are multiple CPU (central processing unit) cores built into the microcomputer, processing can be executed in parallel, and high-reliability functions that take advantage of improved performance and redundancy Can be realized.

  As a technique for realizing a high-reliability function of a system, Patent Document 1 describes a technique for duplicating a memory. In this technique, a memory and a system bus are duplicated in a system including an error detection circuit, and the error detection circuit checks that there is no error in data read from the memory.

JP-A-8-16484

  A control device equipped with a microcomputer realizes processing according to a program stored in a ROM. When the system is activated, the control device starts processing from a predetermined program address. If an abnormality occurs in an area in the ROM that stores a program to be executed when the system is started, the system stops operating and the system goes down. Further, even in a microcomputer equipped with a plurality of CPU cores, if one CPU core fails, if it is used at system startup, the system will not operate in this case, and the system will be down.

  The technology described in Patent Document 1 does not mention when the CPU core is faulty, and has an error detection circuit, and not only the memory but also the system bus and system bus control device are duplicated, so the scale of the system increases. Increase in cost and complexity of operation and management are expected.

  An object of the present invention is to provide a control device capable of avoiding an abnormality and preventing a system down even if an abnormality occurs in hardware such as a memory such as a ROM or a CPU core, with a simple configuration. It is said.

  In order to solve the above problems, the control device of the present invention has the following characteristics.

  A control device having a plurality of function realization means for realizing the same function, comprising a switching means for selecting the function realization means by switching, and at the time of starting and restarting after occurrence of an abnormality, The function realization means to be used is selected from among the function realization means by switching operation, and when there is an abnormality in the function realization means, a different function realization means is selected at the next activation.

  Further, in the control apparatus having a plurality of function realizing means for realizing the same function, the function realizing means to be used is selected from among the plurality of function realizing means according to a predetermined allocation procedure at the time of starting and restarting the control apparatus. Switching means for selecting by switching, and when the selected function realizing means has an abnormality, the switching means excludes the function realizing means in which the abnormality has occurred from the assignment procedure and reorganizes the assignment procedure. The function realizing means at the time of subsequent restart is selected by switching.

  The function realization means is a program executed by a microcontroller included in the control device or a CPU core included in the microcontroller.

  According to the present invention, in a control device equipped with a microcomputer, it is provided with a plurality of hardware that realizes the same function, and by switching and operating these hardware each time the microcomputer is started or reset (restarted), System down can be avoided.

  The present invention is characterized in that the hardware is switched in accordance with a predetermined allocation procedure, for example, rotation every time the microcomputer is started or reset (restarted). In the following embodiments, as an example of hardware to be switched, The case of the memory address, the CPU core, and both the memory address and the CPU core will be described. The microcomputer is reset when the system is in operation. In this embodiment, the activation of the microcomputer after the power is turned on is also referred to as reset, and the CPU core is simply referred to as “CPU”.

  The first embodiment is an example showing that by having two identical initialization processing programs in a memory, a system down can be avoided even if an abnormality occurs in a memory area storing the initialization processing program. In this embodiment, the initialization processing program in the memory is switched by switching the start address of the program every time the microcomputer is reset.

  FIG. 1 is a configuration diagram of a control device showing an embodiment of the present invention. The control device 1 is connected to one or more sensors 3 and one or more actuators 2 and communicates with other control devices 5 via the network 4 to control the system. Further, the control device 1 includes a microcomputer A11, a microcomputer B12, and one or more peripheral ICs (integrated circuits) 13.

  The microcomputer A11 is connected to the microcomputer B12 and the peripheral IC 13. Further, the microcomputer A11 includes a flash ROM (flash memory) 112, a RAM (random access memory) 113, a program activation control unit 111, a DMA (direct memory) in which programs and data necessary for the control device 1 to execute control are stored. (Access) controller 115, exception occurrence identifier storage unit 117, CPU (central processing unit) 114, and peripheral module 116. The CPU 114 starts processing of the program stored in the flash ROM 112 from a specified address according to the activation identifier stored in the program activation control unit 111 at the time of activation, and performs control of the control device 1.

  The microcomputer B12 may have the same configuration as the microcomputer A11, or may have any other configuration. In the following, focusing on the microcomputer A11, processing in the microcomputer A11 will be described.

  FIG. 2 is a configuration diagram of the program activation control unit 111. The program activation control unit 111 includes an activation identifier storage unit 1111 and an activation table 1112.

  The activation identifier storage unit 1111 stores an activation identifier for starting a program. When the power is turned on, the activation identifier is an indefinite value.

  The activation table 1112 is a table in which an activation identifier, a start address, and a start permission are recorded, and the predetermined rotation (allocation procedure) described above is recorded. The program starts executing from the designated start address according to the activation identifier. The start address is the address of the memory where the program is started, and the program is started from the corresponding start address in accordance with the start permission.

  The start permission is for setting permission / prohibition to start the program from the corresponding start address, and the program is started from the start address set to “permitted”, but set to “prohibited”. It does not start from the specified start address. That is, the start address set to “prohibited” is excluded from the rotation. The rotation is reorganized by such setting of permission / prohibition of start permission. In addition, the case where only one activation identifier whose start permission is set to “permitted” is included in the rotation.

  In the example of the activation table 1112 in FIG. 2, when the activation identifier is activation_0, the start address is 0x0000 and the start permission is “permitted”, so the program starts from the address 0x0000. When the activation identifier is activation_1, since the start address is 0x2000 and the start permission is “permitted”, the program starts from the address 0x2000.

  When the start permission is “prohibited”, that is, when the start is prohibited, the corresponding activation identifier is not selected and stored in the activation identifier storage unit 1111. For example, when the start permission of the activation_1 is set to “prohibited”, there is no case where the program starts from address 0x2000. The program starts only from the start address where the start permission is set to “permitted”. In the example of FIG. 2, when the start permission of start — 1 is set to “prohibited”, the program always starts from address 0x0000 of start — 0. If there are a plurality of start addresses for which the start permission is set to “permitted”, the start addresses of the programs are switched in the order recorded in the activation table 1112.

  FIG. 3 is a diagram showing a processing flow from the reset of the microcomputer A11 to the start of the program. This processing flow will be described with reference to the configuration diagram of the program activation control unit 111 in FIG. It should be noted that the processing at startup after power-on is the same as the processing at reset except that the value of the startup identifier is indefinite. In the following description, processing at startup after power-on is included in processing at reset.

  First, in process 191, the microcomputer A11 is reset (activated when the power is turned on).

  In process 192, it is determined whether the activation identifier stored in the activation identifier storage unit 1111 is a valid value, that is, an indefinite value. This is because the activation identifier is an indefinite value when the power is turned on. Note that the activation identifier storage unit 1111 is not initialized when the system power is held, even if a reset occurs, and thus the value set at the previous reset is held.

  If the determination in process 192 is YES, that is, if the activation identifier is a valid value, process 193 is performed. The process 193 is an activation identifier whose start permission is set to “permitted” among the activation identifiers recorded in the activation table 1112, and is next to the activation identifier currently stored in the activation identifier storage unit 1111. Are stored in the activation identifier storage unit 1111. For example, in the example of FIG. 2, if the current activation identifier is activation_0, activation_1 is stored. At this time, the current activation identifier is overwritten, and only activation_1, which is the newly stored activation identifier, is stored in the activation identifier storage unit 1111. If the current activation identifier is the activation identifier recorded at the end of the activation table 1112, the activation identifier recorded at the top is returned to the activation identifier whose start permission is set to “permitted”. Store.

  If the determination in process 192 is NO, that is, if the activation identifier is an indefinite value, process 194 is performed. In the process 194, the activation_0 that is the activation identifier recorded at the top of the activation table 1112 is stored as a default activation identifier. If the start permission of the activation identifier recorded at the highest level is “prohibited”, the activation identifier is skipped, and the next activation identifier whose start permission is “permitted” is stored.

  As described above, in this processing flow, the activation identifier is stored in the activation identifier storage unit 1111 in order, except for the case where the start permission is “prohibited”.

  When the process 193 or the process 194 is completed, the process proceeds to the process 195. In the process 195, the program jumps to the start address corresponding to the activation identifier stored in the activation identifier storage unit 1111 and starts the processing of the program. For example, when activation_1 is stored in the activation identifier storage unit 1111, processing is started from address 0x2000 according to the activation table 1112.

  In this way, the microcomputer A11 can switch the start address of the program every reset.

  FIG. 4 is a chart showing how the activation identifier is switched every time the microcomputer is reset. The chart will be described with reference to FIGS. 2 and 3.

  The upper diagram of FIG. 4 is a normal case, and is an example when the system is operating normally.

  When the power is turned on at time t1801 (power is turned on) and the system is operated (system is turned on), the microcomputer A11 is reset, and the program start processing is performed according to the processing flow of FIG. At this time, since the activation identifier storage unit 1111 contains an indefinite value, activation_0 is stored, and the program is started from the start address 0x0000 corresponding to the activation_0.

  After the system is stopped (system OFF) at time t1802, when the system is turned on at time t1803, the microcomputer A11 is reset, and the program start processing is performed according to the processing flow of FIG. At this time, since activation_0 is already stored in the activation identifier storage unit 1111, activation_1 as the next activation identifier is stored, and the program is started from the start address 0x2000 corresponding to the activation_1.

  Thereafter, after the system is turned off, each time the system is turned on and the microcomputer A11 is reset, activation identifiers are stored in the activation identifier storage unit 1111 in the order recorded in the activation table 1112. The start address of the program is also switched according to the order recorded in the activation table 1112. In the example of FIG. 2, activation_0 and activation_1 are sequentially switched and stored in the activation identifier storage unit 1111. Therefore, the program is started by alternately switching the start addresses 0x0000 and 0x2000.

  The lower diagram of FIG. 4 is an example of an abnormal case. In this case, an abnormality occurs at the address 0x0000 of the FlashROM 112 or an address in the vicinity thereof, and the operation due to the start_0 becomes abnormal.

  When the power is turned on and the system is turned on at time t1811, the microcomputer A11 is reset and the activation_0 is selected as in the normal case. The program is started from the start address 0x0000 corresponding to the start_0.

  At this time, since the memory at address 0x0000 or in the vicinity thereof is abnormal, the program malfunctions at time t1812. When the microcomputer A11 processes an exception due to this malfunction, a reset occurs. This reset then assigns activation_1.

  When the system is turned on at time t1814 after the system is turned off at time t1813, the microcomputer A11 is reset. In this reset, activation_0 is assigned again, but a malfunction of the program occurs in the same way as when the system is turned on at time t1811, and reset occurs at time t1815 due to exception processing.

  At this time, since the reset due to the malfunction at the start of the program occurred twice at the start_0, the microcomputer A11 determines that the start at the start_0 is abnormal by the exception processing, and the start_0 of the start table 1112 Is set to “prohibited” (see the activation table 1112 in the lower diagram of FIG. 4). At the subsequent reset, the program is not started by the activation_0, and an activation identifier other than the activation_0 is selected. In the example of the activation table 1112 in FIG. 4, only activation_1 is repeatedly selected (time t1817 in FIG. 4). Thereby, it is possible to avoid the malfunction of the program due to the memory abnormality and to avoid the system down. Details of the exception processing will be described later.

  In the above example, it was determined that an abnormality occurred when resets due to program malfunctions occurred twice in succession, but abnormalities occurred when resets occurred twice cumulatively even if not consecutively. You may make it judge. Further, the number of resets for determining that an abnormality has occurred is not limited to two, and may be three or more, for example. This number of times can be defined in advance.

  FIG. 5 is a layout diagram of programs stored in the flash ROM 112 on the memory. An initialization process (# 0) 1121 and an initialization process (# 1) 1122 are arranged at addresses 0x0000 and 0x2000 in the FlashROM 112, respectively. The contents of the initialization processes 1121 and 1122 are the same. A main process 1123 is arranged at address 0x3000.

  The initialization processes 1121 and 1122 are the minimum necessary processes for starting the system and avoiding the system down, and differ depending on the system. As shown in the activation table 1112 of FIG. 2, when the activation identifier is activation_0, the initialization process 1121 stored at address 0x0000 is performed. When the activation identifier is activation_1, the initialization process 1122 stored at address 0x2000 is performed. , Respectively. When the program is started and the initialization process 1121 or the initialization process 1122 ends, the process proceeds to the main process 1123 to execute the main process of the system.

  As shown in the abnormal case of FIG. 4, when an abnormality occurs in the start_0, the initialization process (# 1) 1122 is performed after the initialization process (# 1) 1122 from time t1812 to t1813 and after time t1815. Processing 1123 is performed. At the time of resetting at time t1811 and time t1814, an abnormality occurs in the initialization process (# 0) 1121, and thus the main process 1123 is not performed.

  In this way, even if an error occurs in the memory area that stores the initialization process program that is executed at startup, a memory error can be avoided by providing multiple initialization processes in the memory and switching between them. In addition, malfunction of the program and system down can be avoided.

  Exception processing when an abnormality occurs will be described with reference to the exception processing flowchart when an abnormality occurs shown in FIG.

  After an exception has occurred due to an abnormality, in a process 171, the activation identifier stored in the activation identifier storage unit 1111 is stored in the exception occurrence identifier storage unit 117 (see FIG. 1).

  In process 172, an exception handling handler is activated to handle the exception and continue the program.

  In the process 173, the activation identifier stored in the exception occurrence identifier storage unit 117 is read, and if an exception has not occurred with the same activation identifier in the past, if it has occurred, the number of consecutive occurrences or the cumulative number is checked. If the number of consecutive exception occurrences or the number of accumulations exceeds a specified value, the activation identifier is determined to be abnormal. In the example of the abnormal case in FIG. 4, activation_0 has generated an exception twice in succession, and at that time, activation_0 is determined to be abnormal.

  If it is determined in step 173 that there is an abnormality, the process proceeds to step 174, where the start permission of the corresponding activation identifier in the activation table 1112 is set to “prohibited”. Thereby, it is possible to avoid the start of the program due to the start_0.

  When the process 173 or the process 174 is completed, the process proceeds to a process 175 to reset the microcomputer, and the process is continued as shown in the chart of FIG.

  In the first embodiment, it is shown that the system is not brought down even if an abnormality occurs in the initialization process by installing one CPU and having two identical initialization process programs. The second embodiment shows a case where the present invention is implemented in a microcomputer equipped with a plurality of CPU cores (CPUs). In this embodiment, the CPU is switched every time the microcomputer is reset.

  FIG. 7 is a configuration diagram of the control device in the present embodiment. The control device 6 is connected to one or more sensors 8 and one or more actuators 7 and communicates with other control devices 10 via the network 9 to control the system. Further, the control device 6 includes a microcomputer A61, a microcomputer B62, and one or more peripheral ICs 63.

  The microcomputer A61 is connected to the microcomputer B62 and the peripheral IC 63. In addition, the microcomputer A61 includes a flash ROM 612, a RAM 613, a program activation control unit 611, a DMA controller 615, an exception occurrence identifier storage unit 617, and a peripheral module 616 that store programs and data necessary for the control device 6 to execute control. Consists of Further, the microcomputer A61 includes three CPUs, that is, a CPU (0) 614a, a CPU (1) 614b, and a CPU (2) 614c. The CPU (0) 614a, the CPU (1) 614b, and the CPU (2) 614c start the processing of the program stored in the flash ROM 612 from the respective designated addresses according to the program activation control unit 611 at the time of activation. Implement control. In the present embodiment, three CPUs are mounted on the microcomputer A61. However, the number of CPUs is not limited to this and may be plural.

  As in the first embodiment, the microcomputer B62 may have the same configuration as the microcomputer A61 or any other configuration. Hereinafter, focusing on the microcomputer A61, processing in the microcomputer A61 will be described.

  FIG. 8 is a configuration diagram of the program activation control unit 611. The program activation control unit 611 includes a CPU allocation table 6111 and a CPU program activation table 6112.

  The CPU allocation table 6111 stores physical CPU, logical CPU, LOCK, and start permission data, and records the predetermined rotation described above. The physical CPU is an identifier for physically identifying the CPU itself, and is data for the CPU included in the microcomputer A61. The logical CPU is an identifier that logically identifies the CPU, and an address (start address) on the memory at which the program is started is determined by the CPU program activation table 6112. When the power is turned on, the logical CPU becomes an indefinite value.

  LOCK is a flag provided to fix the current setting without switching the correspondence (allocation) between the physical CPU and the logical CPU. When the value of LOCK is “unlock”, the physical CPU assigned to the logical CPU is switched every time the microcomputer A61 is reset. When the value is “lock”, the assignment is locked without being switched.

  The start permission is for setting permission / prohibition of starting a program for the corresponding CPU. When the value of LOCK is “unlock”, the start permission is “permitted”, and when it is “lock”, the start permission is “prohibited”. Only the CPU set to “permitted” executes the process, and the CPU set to “prohibited” does not execute. That is, CPUs set to “prohibited” are excluded from rotation. The rotation is reorganized by such setting of permission / prohibition of start permission. Note that the case where only one CPU is set to “permitted” for start permission is also included in the rotation.

  With these table information, when a failure occurs in a CPU, the operation of the CPU itself can be stopped. Further, when an abnormality occurs in the memory area storing the program, the execution of the program stored in the abnormal area of the memory can be avoided by prohibiting the start of the logical CPU that executes the program.

  FIG. 9 is a diagram showing a processing flow from the reset of the microcomputer A61 to the start of the program. This processing flow will be described with reference to the configuration diagram of the program activation control unit 611 in FIG. In this embodiment as well, the process at the start-up after power-on is the same as the process at reset except that the value of the logical CPU is indefinite. In the following description, processing at startup after power-on is included in processing at reset.

  First, in process 691, the microcomputer A61 is reset (activated when the power is turned on).

  In process 692, it is determined whether the logical CPU corresponding to the physical CPU (CPU (0)) stored in the CPU allocation table 6111 is a valid value, that is, not an indefinite value. This is because the value of the logical CPU is indefinite when the power is turned on. Note that the CPU allocation table 6111 is not initialized even if a reset occurs when the system power supply is held, and thus the value set at the previous reset is held.

  If the determination in process 692 is YES, that is, if the logical CPU is a valid value, process 693 is performed. The process 693 switches the logical CPU to be associated (allocated) with the physical CPU recorded at the highest level in the CPU allocation table 6111. For example, if the logical CPU currently assigned to the CPU (0), which is a physical CPU, is CPU_A, this assignment is changed and CPU_C is assigned. This allocation can be performed in the order recorded in the CPU program activation table 6112 (from the bottom to the top in this embodiment).

  At this time, if the LOCK value of the physical CPU recorded at the top of the CPU allocation table 6111 is “lock”, the logical CPU allocation is not changed for this physical CPU. In this case, the physical CPU is skipped, and the logical CPU to be assigned is switched to the physical CPU whose next LOCK value is “unlock”.

  If the determination in process 692 is NO, that is, if the logical CPU is an indefinite value, process 694 is performed. In process 694, since the logical CPU is an indefinite value, a predefined default logical CPU is set as the CPU (0) of the physical CPU. In this embodiment, the default logical CPU is CPU_A.

  When the process 693 or the process 694 ends, the process proceeds to the process 695. In process 695, logical CPUs subsequent to CPU (1) are assigned on the basis of logical CPU assignment to CPU (0). In the above example, CPU_A is assigned to CPU (0), so CPU_B and CPU_C are assigned to CPU (1) and CPU (2), respectively.

  At this time, the allocation is not changed for the physical CPU whose LOCK value is “lock” in the CPU allocation table 6111. In this case, the physical CPU is skipped, and the logical CPU to be assigned is switched to the physical CPU whose next LOCK value is “unlock”.

  In process 696, each logical CPU jumps to the start address in accordance with the CPU program activation table 6112 and starts program processing. At this time, the CPU whose start permission is set to “prohibited” does not execute the process.

  In this way, the microcomputer A61 changes the allocation of the physical CPU and the logical CPU at each reset, so that the address on the memory in which the program processed by the physical CPU is stored, that is, the physical CPU actually processes it. The contents of the program can be switched. In addition, the physical CPU can be disabled.

  FIG. 10 is a chart showing how the assignment of the physical CPU and the logical CPU is switched every time the microcomputer is reset. The chart will be described with reference to FIGS. 8 and 9. For simplification, FIG. 10 shows only the time when the microcomputer is reset after time t6801, but, similar to FIG. 4, after the system is stopped (system OFF), the system is activated (system ON). ) And a microcomputer reset occurs.

  The upper diagram in FIG. 10 is a normal case, and is an example when the system is operating normally.

  When the power is turned on at time t6801 (power is turned on) and the system is turned on, the microcomputer A61 is reset, and the program start processing is performed according to the processing flow of FIG.

  At this time, since an indefinite value is entered in the logical CPU of the CPU allocation table 6111, the default logical CPU (CPU_A) is set to the CPU (0) which is the physical CPU. CPU_B and CPU_C are assigned to CPU (1) and CPU (2), respectively.

  Thereafter, each time the microcomputer A61 is reset at times t6802, t6803, and t6804, the physical CPU and the logical CPU are in accordance with the order recorded in the CPU program activation table 6112 (from bottom to top in this embodiment). The assignment is switched. Accordingly, the contents of the program processed by each physical CPU are also switched.

  The lower diagram of FIG. 10 is an example of an abnormal case, in which the CPU (1) fails and the operation becomes abnormal.

  When the power is turned on and the system is turned on at time t6811, the microcomputer A61 is reset as in the normal case, and CPU_B is assigned to the CPU (1). At this time, since the CPU (1) is out of order, when the microcomputer A61 executes the program, an abnormality occurs in the CPU_B.

  Due to the occurrence of an abnormality in CPU_B, the microcomputer A61 processes an exception, and a reset occurs at time t6812. By this reset, CPU_A is assigned to the failed CPU (1). At this time, if the microcomputer A61 continues the program, an abnormality occurs in the CPU_A.

  As described above, since the reset due to the abnormality of the logical CPU to which the CPU (1) is assigned has occurred twice in succession, the CPU (1) is determined to be abnormal by the exception processing, and the logical CPU is assigned to the CPU_C. At the same time, the LOCK value is set to “lock” and the start permission is set to “prohibited” (see the CPU allocation table 6111 in the lower diagram of FIG. 10). As a result, the program is not executed on the CPU (1) where the abnormality has occurred. Further, since CPU_C is not executed, the program stored at the start address 0x4000 is not started.

  After time t6813, every time the microcomputer A61 is reset, the assignment of CPU_A and CPU_B to only the CPU (0) and the CPU (2) is switched. Therefore, the program is executed only by the CPUs (0) and (2) as physical CPUs and only by CPU_A and CPU_B as logical CPUs. Thereby, it is possible to avoid the malfunction of the program due to the abnormality of the CPU and to avoid the system down. Details of the exception processing will be described later.

  In the above example, it is determined that an abnormality has occurred in the CPU when resets occur twice in succession. However, as in the case of the first embodiment, when resets occur twice in a cumulative manner even if they are not continuous. In addition, it may be determined that an abnormality has occurred. Further, the number of resets for determining that this abnormality has occurred is not limited to two as in the first embodiment, and may be three or more, for example. This number of times can be defined in advance.

  FIG. 11 is a layout diagram of programs stored in the FlashROM 612 on the memory. A program started by each logical CPU, that is, CPU_A, CPU_B, and CPU_C is stored at addresses 0x0000, 0x2000, and 0x4000 in the FlashROM 612. Regarding the contents of the programs started by the respective logical CPUs, for example, the main process is executed by CPU_A, and auxiliary processes such as an initialization process prior to the main process are executed by CPU_B and CPU_C. Ancillary processes executed by a plurality of logical CPUs (for example, CPU_B and CPU_C) can be the same.

  When one of the CPUs performing the auxiliary process fails, the failed physical CPU is assigned to CPU_C or CPU_B to prohibit the start. In this way, even if one CPU that executes auxiliary processing fails, auxiliary processing such as initialization processing can be executed by another CPU, and subsequently main processing can also be executed. Program malfunction and system down can be avoided.

  Exception processing when an abnormality occurs will be described with reference to the exception processing flowchart when an abnormality occurs shown in FIG.

  After an exception has occurred due to an abnormality, in a process 671, among the physical CPUs stored in the CPU allocation table 6111, the physical CPU that generated the exception is stored in the exception occurrence identifier storage unit 617.

  In process 672, an exception handling handler is activated to handle the exception and continue the program.

  In the process 673, the physical CPU stored in the exception occurrence identifier storage unit 617 is read, and if an exception has not occurred in the same physical CPU in the past, the number of consecutive occurrences or the cumulative number is checked. If the number of consecutive exception occurrences or the number of accumulations exceeds a specified value, the physical CPU is determined to be abnormal. In the example of the abnormal case of FIG. 10, CPU (1) has generated an exception twice in succession, and CPU (1) is determined to be abnormal at that time.

  If it is determined that the process 673 is abnormal, the process proceeds to process 674. In this process, it is determined whether or not the corresponding physical CPU is currently assigned to a logical CPU (CPU_A in the example used in the description of FIG. 11) that executes the main process. This determination is made here by setting the LOCK of the CPU allocation table 6111 to “lock” to be performed in the next process 675 if the corresponding physical CPU is allocated to the logical CPU in charge of the main process. This is because if the process of setting the start permission to “prohibited” is performed, the main process performed by this logical CPU (CPU_A) cannot be executed.

  In order to avoid this, the setting of LOCK and start permission of the CPU allocation table 6111 at this point is avoided, and when the corresponding physical CPU (CPU (1)) is assigned to a logical CPU that does not perform main processing after the next time. LOCK is set to “lock” and start permission is set to “prohibited”. In this way, the logical CPU that executes the main process can always execute the process.

  If it is determined in process 674 that the corresponding physical CPU is not assigned to the logical CPU that executes the main process, the process proceeds to process 675. In this process, the LOCK of the corresponding physical CPU in the CPU allocation table 6111 is set to “lock”, and the start permission is set to “prohibited”. By doing so, it is possible to avoid the start of the program by the corresponding physical CPU (CPU (1)).

  When the process 673, the process 674, or the process 675 is completed, the process proceeds to a process 676 to generate a reset of the microcomputer, and the process is continued as shown in the chart of FIG.

  In the first embodiment, an example in which the start address of the program is switched is shown, and in the second embodiment, the CPU that executes the program is switched. The present embodiment is an example in which the processes in the above two embodiments are executed in parallel, the CPU that executes the program is switched according to a predetermined rotation, and the start address of the program is also switched in each CPU. That is, when the logical CPU is switched as described in the second embodiment, the start address of the program to be executed is switched as described in the first embodiment for each logical CPU.

  The configuration diagram of the control device in this embodiment is the same as FIG. 7 shown in the second embodiment. The microcomputer A61 is equipped with a plurality of CPUs. However, the program activation control unit 611 includes the activation identifier storage unit 1111 and the activation table 1112 illustrated in FIG. 2 of the first embodiment, and the CPU allocation table 6111 and the CPU program activation table 6112 illustrated in FIG. 8 of the second embodiment. .

  The arrangement of the programs stored in the flash ROM 112 on the memory is also a combination of the first embodiment (FIG. 5) and the second embodiment (FIG. 11). That is, a program is assigned to each CPU as shown in FIG. 11, but there are a plurality of assigned programs (two in the example of FIG. 5) for each CPU as shown in FIG.

  The processing content of the microcomputer A61 is also a combination of the first and second embodiments. First, after the CPU is switched according to a predetermined rotation as in the second embodiment, a process of switching the start address of the program according to the predetermined rotation as in the first embodiment is performed for each CPU. The processing flow and the chart used in the first and second embodiments can be used.

  According to the present embodiment, both the avoidance of the system down at the time of the CPU failure described in the second embodiment and the avoidance of the system down due to the program failure described in the first embodiment can be performed.

  The present invention can be applied to a control device incorporating a microcomputer, including automobile control.

It is a block diagram of the control apparatus which shows one Embodiment (Example 1) of this invention. FIG. 3 is a configuration diagram of a program activation control unit according to the first embodiment. It is the figure which showed the processing flow at the time of reset in Example 1. FIG. It is the chart which showed a mode that the starting identifier in Example 1 switched. FIG. 3 is a layout diagram of programs in the FlashROM according to the first embodiment. FIG. 10 is a flowchart of exception processing when an abnormality occurs in the first embodiment. It is a block diagram of the control apparatus which shows another embodiment (Example 2) of this invention. FIG. 10 is a configuration diagram of a program activation control unit according to a second embodiment. It is the figure which showed the processing flow at the time of reset in Example 2. FIG. It is the chart which showed a mode that the allocation of CPU in Example 2 changed. FIG. 10 is a layout diagram of programs in the FlashROM according to the second embodiment. FIG. 10 is a flowchart of exception processing when an abnormality occurs in the second embodiment.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 ... Control apparatus, 2, 7 ... Actuator, 3, 8 ... Sensor, 4, 9 ... Network, 5, 10 ... Control apparatus, 6 ... Control apparatus, 11 ... Microcomputer A, 12, 62 ... Microcomputer B, 13, 63 ... peripheral IC, 61 ... microcomputer A, 111 ... program start control unit, 112 ... FlashROM, 113, 613 ... RAM, 114 ... CPU, 115, 615 ... DMA controller, 116, 616 ... peripheral module, 117 ... exception occurrence identifier storage 611... Program start control unit, 612... FlashROM, 614 a... CPU (0), 614 b... CPU (1), 614 c... CPU (2), 617. ... Startup table, 6111 ... CPU allocation table, 6112 ... CPU program start table, 121 ... initialization process (# 0), 1122 ... initialization process (# 1), 1123 ... main process.

Claims (16)

In a control device comprising a microcontroller ,
A memory storing a plurality of initialization processing programs to be executed at the time of starting and restarting the microcontroller, and switching means for selecting the initialization processing program by switching,
Said switching means, said microcontroller startup and restart of the microcontroller, the initialization program to be used from among the initialization program of the multiple, by the switching operation according to a predetermined assignment procedure selected, wherein the time of restart of the microcontroller, the control apparatus characterized by selecting the microcontroller is different from the initialization program executed when the last started initialization program by the switching operation. In a control device comprising a microcontroller ,
A plurality of arithmetic processing means for executing an initialization processing program executed at the time of starting and restarting the microcontroller, and a switching means for selecting processing to be executed by the arithmetic processing means by switching,
Said switching means, said microcontroller startup and restart of the microcontroller, the process that each execution of said operation processing means multiple, selected by the switching operation according to a predetermined assignment procedure, the microcontroller during restart, each of the plurality of arithmetic processing means, the microcontroller control device and performs the switching operation to perform processing different from that performed when the last started. In a control device comprising a microcontroller ,
A memory for stores a plurality of initialization processing program executed upon start-up and restart of the microcontroller, and a plurality of arithmetic processing means for executing the initialization program, by switching the processing in which the arithmetic processing means executes Switching means for selecting and selecting the initialization processing program by switching,
It said switching means, said microcontroller startup and restart of the microcontroller, should be a process that each execution of said operation processing means multiple, and used from among a plurality of said initialization program The initialization processing program is selected by a switching operation according to a predetermined allocation procedure, and when the microcontroller is restarted , each of the plurality of arithmetic processing means is the processing executed when the microcontroller was last started An initialization process that is performed when the processing unit that executes the initialization process program among the plurality of the processing units and then executes the initialization process program is executed when the microcontroller is started last time. the switching to perform different initialization program from the program Control device and performs the work. The control device according to claim 1,
Said switching means, when an abnormality occurs in the memory area storing the selected initialization program, a memory area abnormality occurs excluded from the allocation procedure reorganized allocation procedure, subsequent the micro A control apparatus , wherein an initialization processing program at the time of restarting a controller is selected by the switching operation . The control device according to claim 2, wherein
Said switching means, when an abnormality in the arithmetic processing unit has occurred, the abnormality has occurred processing means is excluded from the allocation procedure reorganized allocation procedure, the restart time of subsequent said microcontroller A control device , wherein the processing executed by each of the arithmetic processing means is selected by the switching operation . The control device according to claim 3,
Said switching means, when an abnormality occurs in the memory area storing the selected initialization program, a memory area abnormality occurs excluded from the allocation procedure reorganized allocation procedure, subsequent the micro An initialization processing program at the time of restarting the controller is selected by the switching operation , and when an abnormality occurs in the arithmetic processing means, the arithmetic processing means in which the abnormality has occurred is excluded from the assignment procedure and the assignment procedure is performed. A control apparatus that performs reorganization and selects a process to be executed by each of the arithmetic processing means when the microcontroller is restarted thereafter by the switching operation . The control device according to claim 1 ,
Wherein the control device has a function of inhibiting the execution of the initialization program, said switching means, a control device for switching the initialization program execution is not prohibited. The control device according to claim 2, wherein
The control device has a function of fixing processing executed by the arithmetic processing means , and the switching means switches processing of arithmetic processing means whose processing to be executed is not fixed . The control device according to claim 3 ,
The control device has a function of prohibiting execution of the initialization processing program and a function of fixing processing executed by the arithmetic processing means, and the switching means is an initialization process whose execution is not prohibited. A control device that switches to a program and switches processing of an arithmetic processing means whose processing to be executed is not fixed . The control device according to claim 1 ,
The said control apparatus is a control apparatus provided with the exception generation | occurrence | production memory | storage part which memorize | stores the information which can identify the said initialization process program which exception generate | occur | produced during execution. The control device according to claim 2, wherein
The said control apparatus is a control apparatus provided with the exception generation | occurrence | production memory | storage part which memorize | stores the information which can identify the said arithmetic processing means in which exception generate | occur | produced during execution. The control device according to claim 3 ,
The control device includes an exception generation storage unit that stores information that can identify the initialization processing program in which an exception has occurred during execution and the arithmetic processing unit . The control device according to claim 1 ,
When an exception occurs during execution of the selected initialization process program , the switching means excludes the exception process from the allocation procedure if the number of exception occurrences exceeds a predetermined number. Control device. The control device according to claim 2, wherein
When an exception occurs during the execution of the processing of the selected arithmetic processing means , the switching means excludes the arithmetic processing means from the allocation procedure if the number of exception occurrences exceeds a predetermined number. Control device. The control device according to claim 3 ,
The switching means, when an exception occurs during execution of the selected initialization processing program or execution of the processing of the selected arithmetic processing means, with respect to the initialization processing program or arithmetic processing means A control device that is excluded from the assignment procedure when the number of occurrences is greater than or equal to a predetermined number. In a control device comprising a microcontroller ,
The microcontroller includes switching means, a memory, and a CPU ,
The memory stores a plurality of initialization processing programs to be executed at the time of starting and restarting the microcontroller, and these initialization processing programs are the same program ,
The CPU includes one or more cores that execute the initialization processing program ,
It said switching means, characterized in that the addresses of the memory storing one or more of the core and a plurality of said initialization program in correspondence, said microcontroller startup and restart switches this correspondence to the control device.

Images