JP5954261B2 - Electronic control unit - Google Patents

Description

  The present invention relates to an electronic control device that can rewrite a stored program.

  In a vehicle control device, lockstep processing is known as a technique for complying with ISO 26262, which is a standard related to the functional safety of automobiles (see, for example, Patent Document 1). Lockstep processing is a multi-core microcomputer composed of multiple cores. The same operation is executed in parallel on multiple cores and the results of the operations are compared. If it is determined that it is operating and the calculation results do not match, it is determined that an abnormality has occurred in any of the cores.

  If the control program is rewritten after the vehicle is sold to the user side with respect to the engine control device configured to perform such lockstep processing, the vehicle is usually stopped and the engine is stopped. In this state, it is assumed that rewriting is executed. The reason is that if rewriting is performed during the execution of the engine control program, data inconsistency may occur during the execution of the program and the program may not operate normally.

Special table 2007-507015 gazette

  However, if it is assumed that the engine control program stored in the engine control device of the vehicle is rewritten by wireless communication between the remote center that provides the control program and the vehicle, control is performed by wireless communication from the remote center. Each time the program is provided, if the vehicle is stopped and the engine is further stopped, there is a problem that convenience for the vehicle user is impaired.

  The present invention has been made in view of these problems, and avoids the occurrence of a situation in which an abnormality occurs in the operation of the engine due to rewriting of the control program, and improves the convenience for the vehicle user. It aims at providing the technology that can do.

  The electronic control device of the present invention made to achieve the above object includes a first storage unit, a second storage unit, a first process execution unit, a second process execution unit, a first rewrite unit, 2 rewriting means and 3rd rewriting means.

  In the electronic control device of the present invention, a first control program provided for controlling the engine in the first storage unit, and a second control program provided for controlling the engine and different from the first control program, Is memorized. The second storage unit stores a first control program and a third control program that is provided to control the engine and is different from the first control program and the second control program.

  Furthermore, in the electronic control device of the present invention, first, the first process execution means performs processing according to the first control program and the second control program stored in the first storage unit. Further, the second process execution means performs the process according to the first control program and the third control program stored in the second storage unit. And when the 1st rewriting means acquires the 1st rewriting request which requires rewriting of the 1st control program, when an engine has stopped and a vehicle has stopped, it memorizes to the 1st storage part. The first control program being stored and the first control program stored in the second storage unit are rewritten. Further, when the second rewriting means acquires the second rewriting request for requesting rewriting of the second control program, the engine is further stopped and the vehicle is stopped, or the engine is operating. When the vehicle is stopped, the second control program stored in the first storage unit is rewritten. Further, when the third rewriting means acquires the third rewriting request for requesting rewriting of the third control program, the engine is further stopped and the vehicle is stopped, or the engine is operating. When the vehicle is stopped, the third control program stored in the second storage unit is rewritten.

  In the electronic control device configured as described above, rewriting of the first control program stored in the first storage unit and the second storage unit is executed when the engine is stopped and the vehicle is stopped. . For this reason, while the rewriting of the first control program is being executed, the rewriting of the first control program is interrupted due to power interruption or the like, and thereby the contents of the first control program stored in the first storage unit Even if a situation occurs in which the content of the first control program stored in the second storage unit is different, the engine is stopped at this time, so the first process execution means and the second process execution are performed. The means does not perform processing according to the first control program. Therefore, due to the interruption of rewriting of the first control program, the content of the process performed by the first process execution unit according to the first control program and the content of the process performed by the second process execution unit according to the first control program are different. Therefore, it is possible to avoid a situation in which an abnormality occurs in the operation of the engine.

  In the electronic control device of the present invention, the rewriting of the second control program stored in the first storage unit and the rewriting of the third control program stored in the second storage unit are performed when the engine is stopped and the vehicle is It is executed not only when the vehicle is stopped, but also when the engine is running and the vehicle is stopped. For this reason, in order to rewrite a 2nd control program and a 3rd control program, the time which stops a vehicle and also stops an engine can be shortened, and the convenience of a vehicle user can be improved.

  As described above, according to the electronic control device of the present invention, regarding the processing executed by both the first processing execution means and the second processing execution means, that is, processing with high importance, the engine operation is abnormal due to rewriting of the control program. Can be avoided, and the engine is operated for a process executed by one of the first process execution means and the second process execution means, that is, a process of relatively low importance. The convenience of the vehicle user can be improved by allowing the control program to be rewritten even when the vehicle is stopped.

It is a block diagram which shows the structure of engine ECU1 and its peripheral device. It is a flowchart which shows the first half part of ROM mode main processing. It is a flowchart which shows the latter half part of ROM mode main processing. It is a flowchart which shows the first half part of RAM mode main processing. It is a flowchart which shows the latter half part of RAM mode main processing. It is a flowchart which shows the main side lock step corresponding | compatible program rewriting process. It is a flowchart which shows a sub-side lock step corresponding | compatible program rewriting process. It is a flowchart which shows a non-lock step corresponding program rewriting process. It is a figure which shows the relationship between an engine state and a vehicle state, and permission and prohibition of rewriting. 3 is a first timing chart showing the operation of engine ECU1. 3 is a second timing chart showing the operation of engine ECU1. 7 is a third timing chart showing the operation of engine ECU1.

Embodiments of the present invention will be described below with reference to the drawings.
An electronic control unit (Electronic Control Unit) 1 (hereinafter referred to as an engine ECU 1) of the present embodiment is mounted on a vehicle and controls a vehicle engine (not shown).

  As shown in FIG. 1, the engine ECU 1 inputs and outputs signals between a microcomputer (hereinafter referred to as a microcomputer) 2 that performs various processes for controlling the engine and between the outside of the engine ECU 1 and the microcomputer 2. Input circuit 3 and output circuit 4 are provided.

  An accelerator opening sensor 61, a vehicle speed sensor 62, a crank sensor 63, a cam sensor 64, a shift position sensor 65, and the like are connected to the input circuit 3. The accelerator opening sensor 61 detects the accelerator opening according to the amount of depression of the driver's accelerator pedal. The vehicle speed sensor 62 detects the traveling speed of the vehicle on which the engine ECU 1 is mounted. The crank sensor 63 outputs a crank angle signal according to the rotation of the crankshaft of the engine. The cam sensor 64 outputs a cam angle signal according to the rotation of the cam shaft of the engine. The shift position sensor 65 detects a shift position of a transmission (not shown) mounted on the vehicle.

To the output circuit 4, an electronic throttle 71, an injector 72, a spark plug 73, an EGR valve 74, an electric fan 75, a main relay 76, and the like are connected.
The microcomputer 2 includes a core 11, a core 12, a comparison circuit 13, and a communication circuit 14.

  The core 11 includes a CPU 21, a ROM 22 and a RAM 23. The core 12 includes a CPU 31, a ROM 32 and a RAM 33. Hereinafter, the core 11 is also referred to as a main core 11, and the core 12 is also referred to as a sub-core 12.

The ROMs 22 and 32 are data rewritable nonvolatile memories, and store programs executed by the CPUs 21 and 31 and data referred to when the programs are executed.
The ROM 22 stores an electronic throttle control program, an injector control program, a spark plug control program, and an EGR valve control program. The electronic throttle control program is a program for controlling the electronic throttle 71. The injector control program is a program for controlling the injector 72. The spark plug control program is a program for controlling the spark plug 73. The EGR valve control program is a program for controlling the EGR valve 74.

  The ROM 32 stores an electronic throttle control program, an electric fan control program, and a main relay control program. The electric fan control program is a program for controlling the electric fan 75. The main relay control program is a program for controlling the main relay 76.

  The storage areas of the ROMs 22 and 32 are managed by being divided into a plurality of blocks. Data erasure executed before data is written to the ROMs 22 and 32 is executed in units of blocks. Each block is provided with block identification information for identifying the block. The block identification information of the present embodiment is a natural number set so that the value increases by 1 when the storage address of the block in the ROMs 22 and 32 increases by one block. That is, the block identification information of this embodiment is assigned values 1, 2, 3, 4,... In ascending order of storage addresses of the corresponding blocks.

  The RAMs 23 and 33 are volatile memories, and temporarily store calculation results of the CPUs 21 and 31. In addition, the RAMs 23 and 33 are provided with areas for storing information indicating blocks for which data erasure has been completed in the ROMs 22 and 32 (hereinafter referred to as erasure completion block storage areas). Further, the RAMs 23 and 33 are provided with areas (hereinafter referred to as write completion address storage areas) for storing information indicating addresses at which the writing of the control program is completed in the ROMs 22 and 32, respectively.

  The CPUs 21 and 31 input signals output from the accelerator opening sensor 61, the vehicle speed sensor 62, the crank sensor 63, the cam sensor 64, the shift position sensor 65, and the like via the input circuit 3. The CPUs 21 and 31 execute various processes based on programs stored in the ROMs 22 and 32. The CPUs 21 and 31 are connected to each other so that data communication is possible.

  Then, the CPU 21 performs a control calculation based on various signals input via the input circuit 3, and a drive signal for driving the electronic throttle 71, the injector 72, the spark plug 73, and the EGR valve 74 based on the calculation result. Is output. A drive signal for driving the injector 72, the spark plug 73 and the EGR valve 74 is input to the output circuit 4. A drive signal (hereinafter referred to as a throttle drive signal) for driving the electronic throttle 71 is input to the comparison circuit 13.

  Further, the CPU 31 performs a control calculation based on various signals input via the input circuit 3, and outputs a drive signal for driving the electronic throttle 71, the electric fan 75, and the main relay 76 based on the calculation result. . A drive signal for driving the electric fan 75 and the main relay 76 is input to the output circuit 4. A throttle drive signal for driving the electronic throttle 71 is input to the comparison circuit 13.

  The comparison circuit 13 compares the throttle drive signal from the CPU 21 with the throttle drive signal from the CPU 31 and outputs either of the two input throttle drive signals if they match. The throttle drive signal output from the comparison circuit 13 is input to the output circuit 4.

  The communication circuit 14 performs data communication with various devices mounted on the vehicle via the in-vehicle LAN 41. The in-vehicle LAN 41 is connected to a program change ECU 42 that performs wireless communication with a remote center RC installed outside the vehicle. As a result, the core 11 and the core 12 are connected to the program change ECU 42 via the in-vehicle LAN 41 so that data communication is possible.

  The remote center RC is installed so that the program stored in the ROMs 22 and 32 can be updated without the vehicle owner bringing the vehicle to the card dealer. The remote center RC communicates with the program change ECU 42 mounted on the vehicle when it is necessary to update the vehicle control program for controlling the vehicle (that is, the electronic throttle control program and the injector control program described above). By performing wireless communication between them, a new vehicle control program and a rewrite control program for rewriting the vehicle control program are transmitted to the program change ECU 42.

The program change ECU 42 is connected to a user interface (hereinafter referred to as user I / F) 43 including operation keys and a display panel.
When the program change ECU 42 receives a new vehicle control program and a rewrite control program from the remote center RC, the program change ECU 42 issues a permission image display command for instructing the display panel to display a rewrite permission confirmation image for requesting permission to execute the program rewriting process. Output to the user I / F 43. Upon receiving the permission image display command, the user I / F 43 displays a rewrite permission confirmation image on the display panel.

  When the operator operates the operation key of the user I / F 43 while the rewrite permission confirmation image is displayed on the display panel, the user I / F 43 outputs a rewrite permission signal to the program change ECU 42. When the rewrite permission signal is input, the program change ECU 42 transmits a program rewrite request for rewriting the vehicle control program to the engine ECU 1 via the in-vehicle LAN 41.

  When the rewriting of the vehicle control program is completed, the program change ECU 42 outputs a completion image display command to the user I / F 43 instructing to display a rewriting completion image indicating that on the display panel. When the user I / F 43 receives the completion image display command, the user I / F 43 displays the rewriting completion image on the display panel.

In the engine ECU 1 configured as described above, the CPUs 21 and 31 each execute a ROM mode main process which will be described later.
Here, the procedure of the ROM mode main process executed by the CPUs 21 and 31 will be described. The ROM mode main process is a process that is repeatedly executed every predetermined time (in this embodiment, every 4 ms) during the operation of the engine ECU 1.

  When the ROM mode main process is executed, the CPU 21 (CPU 31) first sets the CPU 21 (CPU 31) to the ROM mode in S10 as shown in FIGS. In the ROM mode, the CPU 21 (CPU 31) executes processing by reading a program stored in the ROM 22 (ROM 32) from the ROM 22 (ROM 32).

  In S20, an engine control program stored in the ROM 22 (ROM 32) is read from the ROM 22 (ROM 32), thereby executing processing for controlling the engine. In S20, among the engine control processes, for example, the calculation process of the opening degree of the electronic throttle 71, the fuel injection amount of the injector 72, the ignition timing of the spark plug 73, and the intake air amount is executed every 4 ms. The process for controlling is executed every 8 ms.

  Next, in S30, it is determined whether a program rewrite request for the electronic throttle control program has been received from the program change ECU. If a program rewrite request for the electronic throttle control program is received (S30: YES), the first main request indicating whether or not a program rewrite request for the electronic throttle control program has been made in the main core 11 in S40. In addition to setting the flag F11, the first sub request flag F12 indicating whether or not a program rewrite request for the electronic throttle control program has been made in the sub core 12 is set, and the process proceeds to S60. On the other hand, if the program rewrite request for the electronic throttle control program has not been received (S30: NO), the first main request flag F11 and the first sub request flag F12 are cleared in S50, and the process proceeds to S60. .

  In S60, it is determined whether a program rewrite request for a control program other than the electronic throttle control program in the main core 11 has been received from the program change ECU 42. If a program rewrite request is received (S60: YES), a second main request flag indicating whether or not a program rewrite request for a control program other than the electronic throttle control program has been made in the main core 11 in S70. F13 is set and the process proceeds to S90. On the other hand, if the program rewrite request has not been received (S60: NO), the second main request flag F13 is cleared in S80, and the process proceeds to S90.

  In S90, it is determined whether a program rewrite request for a control program other than the electronic throttle control program in the sub-core 12 has been received from the program change ECU 42. If a program rewrite request is received (S90: YES), a second sub request flag F14 indicating whether or not a program rewrite request for a control program other than the electronic throttle control program has been made in the sub-core 12 in S100. Is set, and the process proceeds to S120. On the other hand, if the program rewrite request has not been received (S90: NO), the second sub request flag F14 is cleared in S110, and the process proceeds to S120.

  In S120, failure diagnosis of the RAM 23 (RAM 33) is executed. In S130, based on the failure diagnosis result in S120, it is determined whether or not the RAM 23 (RAM 33) has failed. If the RAM 23 (RAM 33) has failed (S130: YES), the process proceeds to S190. On the other hand, if the RAM 23 (RAM 33) has not failed (S130: NO), it is determined in S140 whether the key switch position is the OFF (OFF) position or the accessory (ACC) position.

  Here, when the key switch is in the off position or the accessory position (S140: YES), in S150, the engine is stopped (hereinafter referred to as the engine stop state) and the vehicle is stopped. It is judged whether it is in the state (henceforth a vehicle stop state). In the present embodiment, when the engine speed is 300 rpm or less, it is determined that “the engine is stopped”. Further, when the vehicle speed is 0 km / h, it is determined that the vehicle is in a stopped state.

  If the engine is stopped and the vehicle is stopped (S150: YES), a first possible flag F21 indicating whether or not the electronic throttle control program can be rewritten is set in S160. At the same time, a second possible flag F22 indicating whether or not a control program other than the electronic throttle control program can be rewritten is set, and the process proceeds to S190. On the other hand, when the engine is not stopped or the vehicle is not stopped (S150: NO), the process proceeds to S190.

  In S140, if the position of the key switch is other than the OFF position and the accessory position (S140: NO), it is determined in S170 whether the vehicle is in a stopped state and in an idle operation state. If the vehicle is in a stopped state and is in an idle operation state (S170: YES), the first possible flag F21 is cleared and the second possible flag F22 is set, and the process proceeds to S190. On the other hand, when the vehicle is not stopped or is not in the idle operation state (S170: NO), the process proceeds to S190.

  In S190, it is determined whether or not the first possible flag F21 is set. If the first possible flag F21 is set (S190: YES), the first main permission flag F31 indicating whether or not rewriting of the electronic throttle control program is permitted in the main core 11 in S200. Then, the first sub permission flag F32 indicating whether or not rewriting of the electronic throttle control program is permitted in the sub core 12 is set, and the process proceeds to S220. Specifically, when the first main request flag F11 is set, the first main permission flag F31 is set, while when the first main request flag F11 is cleared, the first main permission flag F31 is set. To clear. Similarly, when the first sub request flag F12 is set, the first sub permission flag F32 is set, while when the first sub request flag F12 is cleared, the first sub permission flag F32 is cleared. To do. On the other hand, if the first possible flag F21 is cleared (S190: NO), the first main permission flag F31 and the first sub permission flag F32 are cleared in S210, and the process proceeds to S220.

  In S220, it is determined whether the second possible flag F22 is set. Here, when the second possible flag F22 is set (S220: YES), the second indicating whether or not rewriting of a control program other than the electronic throttle control program is permitted in the main core 11 in S230. The main permission flag F33 and a second sub permission flag F34 indicating whether or not rewriting of a control program other than the electronic throttle control program is permitted in the sub core 12 are set, and the process proceeds to S250. Specifically, when the second main request flag F13 is set, the second main permission flag F33 is set, while when the second main request flag F13 is cleared, the second main permission flag F33 is set. To clear. Similarly, when the second sub request flag F14 is set, the second sub permission flag F34 is set, while when the second sub request flag F14 is cleared, the second sub permission flag F34 is cleared. To do. On the other hand, when the 2nd possible flag F22 is cleared (S220: NO), the 2nd main permission flag F33 and the 2nd sub permission flag F34 are cleared in S240, and it transfers to S250.

  In S250, it is determined whether both the first main permission flag F31 and the first sub permission flag F32 are set. If both the first main permission flag F31 and the first sub permission flag F32 are set (S250: YES), the process proceeds to S280. On the other hand, if one of the first main permission flag F31 and the first sub permission flag F32 is cleared (S250: NO), whether or not the second main permission flag F33 is set in S260. Judging.

  If the second main permission flag F33 is set (S260: YES), the process proceeds to S280. On the other hand, if the second main permission flag F33 is cleared (S260: NO), it is determined in S270 whether or not the second sub permission flag F34 is set. If the second sub permission flag F34 is set (S270: YES), the process proceeds to S280. On the other hand, when the second sub permission flag F34 is cleared (S270: NO), the ROM mode main process is temporarily ended.

  In S280, the rewrite control program is received from the program change ECU 42 and stored in the RAM 23 (RAM 33). In S290, the engine control program stored in the ROM 22 (ROM 32) is read from the ROM 22 (ROM 32) and stored in the RAM 23 (RAM 33).

  In S300, it is determined whether all of the rewrite control program and the engine control program are stored in the RAM 23 (RAM 33). Here, when the storage of all of the rewrite control program and the engine control program is not completed (S300: NO), the ROM mode main process is temporarily terminated. On the other hand, when all storage of the rewrite control program and the engine control program is completed (S300: YES), in S320, a storage completion notification indicating that storage of the rewrite control program and the engine control program is completed is sent to the CPU 31 ( CPU21).

  Thereafter, in S320, it is determined whether or not a storage completion notification is received from CPU 31 (CPU 21). Here, when the storage completion notification has not been received (S320: NO), the ROM mode main process is temporarily terminated. On the other hand, if a storage completion notification is received (S320: YES), the CPU 21 (CPU 31) is set to the RAM mode in S330, and the program jumps to the rewrite control program stored in the RAM 23 (RAM 33). Thereby, the RAM mode main process is started. In the RAM mode, the CPU 21 (CPU 31) executes processing by reading a program stored in the RAM 23 (RAM 33).

  Next, the procedure of the RAM mode main process executed by the CPUs 21 and 31 will be described. The RAM mode main process is a process that is repeatedly executed during the operation of the engine ECU 1.

  When the RAM mode main process is executed, the CPU 21 (CPU 31) first sets both the first main permission flag F31 and the first sub permission flag F32 in S410, as shown in FIGS. Judge whether or not. If both the first main permission flag F31 and the first sub permission flag F32 are set (S410: YES), a lock step corresponding program rewriting process (described later) is executed in S420. The lock step compatible program is a control program executed by the main core 11 and the sub core 12, and is an electronic throttle control program in this embodiment. When the lock step corresponding program rewriting process is completed, the first main permission flag F31 and the first sub permission flag F32 are cleared in S430, and the process proceeds to S510.

  On the other hand, when one of the first main permission flag F31 and the first sub permission flag F32 is cleared (S410: NO), the second main permission flag F33 is set in S440, and Then, it is determined whether the CPU 21 of the main core 11 is executing the RAM mode main process. Here, when the second main permission flag F33 is set and the CPU 21 is executing the RAM mode main process (S440: YES), a non-lock step corresponding program rewriting process (described later) is executed. The non-lock step corresponding program is a control program executed by either the main core 11 or the sub-core 12, and is a control program other than the electronic throttle control program in this embodiment. When the non-lock step corresponding program rewriting process is completed, the second main permission flag F33 is cleared in S460, and the process proceeds to S510.

  On the other hand, if the second main permission flag F33 is cleared or if the RAM mode main process is not performed by the CPU 21 of the main core 11 (S440: NO), the second sub permission is performed in S470. It is determined whether or not the flag F34 is set and the CPU 31 of the sub-core 12 is executing this RAM mode main process. Here, when the second sub permission flag F34 is set and the CPU 31 is executing the RAM mode main process (S470: YES), the non-lock step corresponding program rewriting process is executed in S480. When the non-lock step corresponding program rewriting process is completed, the second sub permission flag F34 is cleared in S490, and the process proceeds to S510.

  On the other hand, if the second sub permission flag F34 is cleared or if the RAM mode main process is not executed by the CPU 31 of the sub core 12 (S470: NO), the RAM 23 (RAM 33) is stored in S500. By reading the stored engine control program, a process for controlling the engine is executed, and the process proceeds to S510.

  In S510, it is determined whether both the first main permission flag F31 and the first sub permission flag F32 are cleared. Here, when at least one of the first main permission flag F31 and the first sub permission flag F32 is set (S510: NO), the RAM mode main process is temporarily ended.

  On the other hand, if both the first main permission flag F31 and the first sub permission flag F32 are cleared (S510: YES), it is determined in S520 whether the second main permission flag F33 is cleared. To do. If the second main permission flag F33 is set (S520: NO), the RAM mode main process is temporarily terminated. On the other hand, if the second main permission flag F33 is cleared (S520: YES), it is determined in S530 whether the second sub permission flag F34 is cleared. If the second sub permission flag F34 is set (S530: NO), the RAM mode main process is temporarily terminated.

  On the other hand, if the second sub permission flag F34 is cleared (S530: YES), the CPU 21 (CPU 31) is set to the ROM mode in S540, and the control program stored in the ROM 22 (ROM 32) is jumped to. . This shifts to the ROM mode main process.

Next, the procedure of the lock step corresponding program rewriting process (hereinafter referred to as main side lock step corresponding program rewriting process) executed by the CPU 21 in S420 will be described.
When the main-side lockstep corresponding program rewriting process is executed, as shown in FIG. 6, the CPU 21 first loads the electronic throttle control program in the ROM 22 by referring to the erase completion block storage area of the RAM 23 in S610. It is determined whether or not data erasure of a storage area to be written (hereinafter referred to as a rewrite target area) has been completed.

  If the data erasure in the rewrite target area is not completed (S610: NO), the data erasure in the ROM 22 is executed in S620. Thereafter, in S630, the information stored in the erase completion block storage area is updated so as to indicate that the data erase has been completed in the rewrite target area where the data erase has been executed in the process of S620. Then, the process proceeds to S610.

  On the other hand, if the data erasure in the rewrite target area has been completed (S610: YES), the data set in advance as the amount of data written in one data write to the program change ECU 42 in S640. A command (hereinafter referred to as a write data transmission request command) requesting transmission of write data having a data amount of data is transmitted. Thereafter, in S650, it is determined whether or not write data corresponding to the write unit data amount has been received from program change ECU. Here, when the write data for the write unit data amount has not been received (S650: NO), the process of S650 is repeated, so that the write data for the write unit data amount is obtained from the program change ECU 42. Wait for reception.

  When the write data corresponding to the write unit data amount is received from the program change ECU 42 (S650: YES), the received write data is transmitted to the sub-core 12 in S660. Further, in S670, the received write data is written into the ROM 22. Thereafter, in S680, the information stored in the write completion address storage area is updated so as to indicate that data writing has been completed in the storage area in which the write data is written in S670.

  In S690, it is determined whether or not a write completion notification indicating that the writing of the write data transmitted in S660 has been completed is received from sub-core 12. Here, when the writing completion notification is not received from the sub-core 12 (S690: NO), the processing of S690 is repeated to wait until the writing completion notification is received from the sub-core 12. When the write completion notification is received from the sub-core 12 (S690: YES), the write data is written in all the rewrite target areas in the ROM 22 by referring to the write completion address storage area in S700. It is determined whether or not is completed.

  Here, if there is a rewrite target area for which writing has not been completed (S700: NO), the process proceeds to S640 and the above-described processing is repeated. On the other hand, when the writing is completed in all the rewriting target areas (S700: YES), in S710, all writing indicating that the writing of writing data is completed in all the rewriting target areas in the ROM 32 from the sub-core 12. It is determined whether or not a completion notification has been received. If the all-write completion notification has not been received from the sub-core 12 (S710: NO), the process of S710 is repeated until the all-write completion notification is received from the sub-core 12. If the all-write completion notification is received from the sub-core 12 (S710: YES), the main-side lockstep corresponding program rewriting process is terminated.

Next, the procedure of the lock step corresponding program rewriting process (hereinafter referred to as sub-side lock step corresponding program rewriting process) executed by the CPU 31 in S420 will be described.
When the sub-side lock step corresponding program rewriting process is executed, the CPU 31 first loads the electronic throttle control program in the ROM 32 by referring to the erase completion block storage area of the RAM 33 in S810 as shown in FIG. It is determined whether or not data erasure of a storage area to be written (hereinafter referred to as a rewrite target area) has been completed.

  If the data erasure in the rewrite target area has not been completed (S810: NO), the data erasure in the ROM 32 is executed in S820. Thereafter, in S830, the information stored in the erase completion block storage area is updated so as to indicate that the data erase has been completed in the rewrite target area where the data erase has been executed in the process of S820. Then, the process proceeds to S810.

  On the other hand, when the data erasure of the rewrite target area has been completed (S810: YES), in S840, the write unit preset as the amount of data to be written in one data write from the main core 11 It is determined whether write data corresponding to the amount of write data has been received. Here, when the write data for the write unit data amount is not received (S840: NO), the write data for the write unit data amount is received from the main core 11 by repeating the process of S840. Wait for reception.

  When the write data corresponding to the write unit data amount is received from the main core 11 (S840: YES), the received write data is written in the ROM 32 in S850. Thereafter, in S860, the information stored in the write completion address storage area is updated so as to indicate that the data writing is completed in the storage area in which the write data is written in the process of S850. Further, in S870, a write completion notification indicating completion of writing of the write data is transmitted to the main core 11.

  In S880, it is determined whether or not writing of the write data is completed in all the rewrite target areas in the ROM 32 by referring to the write completion address storage area. If there is a rewrite target area that has not been completely written (S880: NO), the process proceeds to S840 and the above-described processing is repeated. On the other hand, when the writing is completed in all the rewriting target areas (S880: YES), in S890, the all writing completion notification indicating that the writing of the writing data is completed in all the rewriting target areas in the ROM 32 is performed. The data is transmitted to the core 11, and the sub-side lock step corresponding program rewriting process is terminated.

Next, the procedure of the non-lock step corresponding program rewriting process executed by the CPU 21 in S450 and the CPU 31 in S470 will be described.
When this non-lock step corresponding program rewriting process is executed, the CPU 21 (CPU 31) first reads the engine control program stored in the RAM 23 (RAM 33) in S1010 as shown in FIG. Execute the process to control. Thereafter, in S1020, it is determined whether or not the vehicle is in a stopped state (hereinafter referred to as a vehicle stopped state). If the vehicle is not stopped (S1020: NO), the process proceeds to S1010 and the above-described process is repeated.

  On the other hand, when the vehicle is in a stopped state (S1020: YES), the program is rewritten in the ROM 22 (ROM 32) by referring to the erase completion block storage area of the RAM 23 (RAM 33) in S1030. It is determined whether or not data erasure in a storage area (hereinafter referred to as a rewrite target area) in which a control program is written has been completed.

  If the data erasure in the rewrite target area is not completed (S1030: NO), the data erasure in the rewrite target area in the ROM 22 (ROM 32) is executed in S1040. Thereafter, in S1050, the information stored in the erase completion block storage area is updated so as to indicate that the data erase has been completed in the rewrite target area where the data erase has been executed in the process of S1040. Then, the process proceeds to S1010.

  On the other hand, when the data erasure in the rewrite target area has been completed (S1030: YES), a command transmission flag indicating whether or not a write data transmission request command has been transmitted to the program change ECU 42 is set in S1060. Judge whether or not. If the command transmission flag is not set (S1060: NO), a write data transmission request command is transmitted to the program change ECU 42 in S1070. Thereafter, in S1080, the command transmission flag is set, and the process proceeds to S1090. On the other hand, when the command transmission flag is set (S1060: YES), the process proceeds to S1090.

  Then, in S1090, it is determined whether or not write data corresponding to the write unit data amount has been received from the program change ECU 42. If write data for the write unit data amount has not been received (S1090: NO), the process proceeds to S1010. On the other hand, when write data corresponding to the write unit data amount is received from the program change ECU 42 (S1090: YES), the command transmission flag is cleared in S1100. In step S1110, the received write data is written in the ROM 22 (ROM 32). Thereafter, in S1120, the information stored in the write completion address storage area is updated so as to indicate that the data writing is completed in the storage area in which the write data is written in the process of S1110.

  Thereafter, in S1130, by referring to the write completion address storage area, it is determined whether or not writing of the write data is completed in all of the rewrite target areas in the ROM 22 (ROM 32). If there is a rewrite target area where writing has not been completed (S1130: NO), the process proceeds to S1010 and the above-described processing is repeated. On the other hand, when the writing is completed in all the rewriting target areas (S1130: YES), the non-lock step corresponding program rewriting process is ended.

Next, the operation of the engine ECU 1 configured as described above will be described.
First, as shown in FIG. 9 (a), the vehicle on which the engine ECU 1 is mounted is in any one of an engine stop / vehicle stop state C1, an engine operation / vehicle stop state C2, and an engine operation / vehicle travel state C3. Become.

  The engine stop / vehicle stop state C1 is an engine stop state and a vehicle stop state. The engine operation / vehicle stop state C2 is a state in which the engine is operating (hereinafter referred to as an engine operation state) and a vehicle stop state. The engine running / vehicle running state C3 is a state in which the engine is running and the vehicle is running (hereinafter referred to as a vehicle running state).

  As shown in FIG. 9B, in the engine stop / vehicle stop state C1, rewriting of the electronic throttle control program and control programs other than the electronic throttle control program is permitted. In the engine operation / vehicle stop state C2, rewriting of the electronic throttle control program is prohibited, and rewriting of control programs other than the electronic throttle control program is permitted. In the engine operating / vehicle running state C3, rewriting of the electronic throttle control program and control programs other than the electronic throttle control program is prohibited.

  When there is a program rewrite request for a control program other than the electronic throttle control program in the main core 11 and there is no other program rewrite request, the engine is stopped / vehicle stopped state C1 or the engine is operated / vehicle stopped state C2. The main core 11 rewrites the control program requested to be rewritten.

  Further, when there is a program rewrite request for a control program other than the electronic throttle control program in the sub-core 12 and there is no other program rewrite request, the engine is stopped / vehicle stopped C1 or the engine is operated / vehicle stopped C2. In some cases, the sub-core 12 rewrites the control program requested to be rewritten.

  When there is a program rewrite request for a control program other than the electronic throttle control program in the main core 11 and there is a program rewrite request for a control program other than the electronic throttle control program in the sub core 12, the main core 11 and the sub core 12 In each of the above, rewriting of the control program requested to be rewritten is executed.

  In addition, when there is a program rewrite request for the electronic throttle control program in the main core 11 and the sub core 12, the main core 11 and the sub core 12 are synchronized with each other when the engine stop / vehicle stop state C1 is reached. Thus, the electronic throttle control program is rewritten.

  When there is a program rewrite request for the electronic throttle control program in the main core 11 and the sub-core 12 and there is a program rewrite request for a control program other than the electronic throttle control program in the main core 11, the electronic throttle control program is rewritten. The order of rewriting control programs other than the electronic throttle control program is as follows.

  First, when the engine operation / vehicle stop state C2 is entered earlier than the engine stop / vehicle stop state C1, the main core 11 rewrites a control program other than the electronic throttle control program. Thereafter, when the engine stop / vehicle stop state C1 is entered, the main core 11 and the sub-core 12 rewrite the electronic throttle control program in synchronization with each other.

  Further, when the engine stop / vehicle stop state C1 is entered earlier than the engine operation / vehicle stop state C2, the electronic core control program is rewritten in synchronization with each other in the main core 11 and the sub core 12. . When rewriting of the electronic throttle control program is completed, rewriting of control programs other than the electronic throttle control program is executed in the main core 11.

  Next, when there is a program rewriting request for the electronic throttle control program in the main core 11 and the sub core 12 and there is a program rewriting request for a control program other than the electronic throttle control program in the sub core 12, the rewriting of the electronic throttle control program is performed. The order of rewriting control programs other than the electronic throttle control program is as follows.

  First, when the engine operation / vehicle stop state C2 is entered earlier than the engine stop / vehicle stop state C1, the sub-core 12 rewrites control programs other than the electronic throttle control program. Thereafter, when the engine stop / vehicle stop state C1 is entered, the main core 11 and the sub-core 12 rewrite the electronic throttle control program in synchronization with each other.

  Further, when the engine stop / vehicle stop state C1 is entered earlier than the engine operation / vehicle stop state C2, the electronic core control program is rewritten in synchronization with each other in the main core 11 and the sub core 12. . When the rewriting of the electronic throttle control program is completed, rewriting of control programs other than the electronic throttle control program is executed in the sub-core 12.

  Next, when there is a program rewriting request for the electronic throttle control program in the main core 11 and the sub core 12, and there is a program rewriting request for a control program other than the electronic throttle control program in the main core 11 and the sub core 12, the electronic throttle The order of rewriting the control program and rewriting the control program other than the electronic throttle control program is as follows.

  First, when the engine operation / vehicle stop state C2 is entered earlier than the engine stop / vehicle stop state C1, the main core 11 and the sub core 12 individually rewrite control programs other than the electronic throttle control program. Is done. Thereafter, when the engine stop / vehicle stop state C1 is entered, the main core 11 and the sub-core 12 rewrite the electronic throttle control program in synchronization with each other.

  Further, when the engine stop / vehicle stop state C1 is entered earlier than the engine operation / vehicle stop state C2, the electronic core control program is rewritten in synchronization with each other in the main core 11 and the sub core 12. . When the rewriting of the electronic throttle control program is completed, rewriting of control programs other than the electronic throttle control program is executed individually for each of the main core 11 and the sub-core 12.

FIG. 10 is a timing chart showing the operation when program rewriting is not executed.
As shown in FIG. 10, when the key switch is switched from the off state to the on state, power is supplied to the engine ECU 1 (see time t01), and the electronic throttle control program is executed in the CPU 21 of the main core 11 and the CPU 31 of the sub core 12. A control program other than the electronic throttle control program is executed. Since the electronic throttle control program is a lock step target, the electronic throttle control program of the CPU 21 and the electronic throttle control program of the CPU 31 are executed at the same timing.

  Thereafter, when the key switch is switched from the on state to the off state (see time t02), the execution of the electronic throttle control program and the execution of the control program other than the electronic throttle control program are stopped, and then the engine ECU 1 is shut down. Pre-processing is executed. Then, the engine ECU 1 changes the drive signal output to the main relay 76 from on to off, whereby the power supply to the engine ECU 1 is interrupted (see time t03), and the function of the engine ECU 1 is stopped.

FIG. 11 is a timing chart showing an operation when program rewriting of a control program other than the electronic throttle control program is executed.
As shown in FIG. 11, when the key switch is switched from the off state to the on state, power is supplied to the engine ECU 1 (see time t11), and the electronic throttle control program and A control program other than the electronic throttle control program is executed. Thereafter, engine ECU 1 receives program rewrite request RR from program change ECU 42 (see time t12). At this time, since the vehicle is in a state where the engine is operating (hereinafter referred to as an engine operating state) and is in a traveling state (hereinafter referred to as a vehicle traveling state), the program rewriting is not executed.

  Thereafter, when the vehicle is in an engine operating state and a vehicle stopped state (see time t13), the CPU 21 of the main core 11 and the CPU 31 of the sub core 12 rewrite programs for control programs other than the electronic throttle control program. Processing is executed (see rewriting processing RP01, RP02, RP03, RP04, RP05, RP06 in FIG. 11). The program rewriting process of the CPU 21 and the program rewriting process of the CPU 31 do not need to be executed at the same timing, but are executed individually. Further, even during execution of the program rewriting process for a control program other than the electronic throttle control program, the engine control is continuously executed in each of the CPUs 21 and 31.

  Thereafter, when the program rewriting process in the CPU 21 is completed (see time t14), the CPU 21 switches from the RAM mode to the ROM mode. When the program rewriting process in the CPU 31 is completed (see time t15), the CPU 31 switches from the RAM mode to the ROM mode.

  Thereafter, when the key switch is switched from the on state to the off state (see time t16), the execution of the electronic throttle control program and the execution of the control program other than the electronic throttle control program are stopped, and then the engine ECU 1 is shut down. Pre-processing is executed. Then, when the engine ECU 1 changes the drive signal output to the main relay 76 from on to off, the power supply to the engine ECU 1 is interrupted (see time t17), and the function of the engine ECU 1 is stopped.

  FIG. 12 is a timing chart showing an operation in the case where the program rewriting of the electronic throttle control program and the program rewriting of a control program other than the electronic throttle control program are executed.

  As shown in FIG. 12, when the key switch is switched from the off state to the on state, power is supplied to the engine ECU 1 (see time t21), and the electronic throttle control program is executed in the CPU 21 of the main core 11 and the CPU 31 of the sub core 12. A control program other than the electronic throttle control program is executed. Thereafter, engine ECU 1 receives program rewrite request RR from program change ECU 42 (see time t22). At this time, since the vehicle is in the engine running state and the vehicle running state, the program rewriting is not executed.

  Thereafter, when the vehicle is in an engine operating state and a vehicle stopped state (see time t23), the program rewriting process for the control program other than the electronic throttle control program is performed in the CPU 21 of the main core 11 and the CPU 31 of the sub core 12. Is executed (see rewriting processes RP11, RP12, RP13, and RP14 in FIG. 12). The program rewriting process of the CPU 21 and the program rewriting process of the CPU 31 do not need to be executed at the same timing, but are executed individually. Further, even during execution of the program rewriting process for a control program other than the electronic throttle control program, the engine control is continuously executed in each of the CPUs 21 and 31.

  Thereafter, when the vehicle enters the vehicle running state (see time t24), the program rewriting process being executed by the CPU 21 and the program rewriting process being executed by the CPU 31 are interrupted, and the engine control is continuously executed in each of the CPUs 21 and 31. Is done.

  Thereafter, when the vehicle is in the engine operating state and the vehicle is in the stopped state again (see time t25), the CPU 21 and 31 resume execution of the program rewriting process for the control program other than the electronic throttle control program. (Refer to the rewrite processes RP15, RP16, RP17, and RP18 in FIG. 12). When the program rewriting process is resumed, data writing is executed from the storage area where the program rewriting process is interrupted based on the information stored in the erase completion block storage area and the write completion address storage area.

  Thereafter, the program rewriting process in the CPU 21 is completed (see time t26). Further, the program rewriting process in the CPU 31 is completed (see time t27). Since rewriting of the electronic throttle control program has not been completed, the CPUs 21 and 31 continue the RAM mode.

  Thereafter, when the key switch is switched from the on state to the off state (see time t28), the execution of the electronic throttle control program and the execution of control programs other than the electronic throttle control program are stopped. Since the vehicle is in the engine stop state and the vehicle stop state (see time t28), the program rewriting process for the electronic throttle control program is executed in the CPU 21 of the main core 11 and the CPU 31 of the sub core 12. (Refer to the rewriting processes RP19 and RP20 in FIG. 12). Before and after rewriting the electronic throttle control program, the electronic throttle control program stored in the ROM 22 and the electronic throttle control program stored in the ROM 32 need to be the same. Thus, the electronic throttle control program is rewritten. For this reason, the program rewriting process for the electronic throttle control program is executed in time synchronization between the CPU 21 and the CPU 31.

  When the program rewriting process for the electronic throttle control program is completed (see time t29), the CPUs 21 and 31 are switched from the RAM mode to the ROM mode. Further, since the key switch is already in the OFF state at this time, a pre-process for shutting down engine ECU 1 is executed. Then, when the engine ECU 1 changes the drive signal output to the main relay 76 from on to off, the power supply to the engine ECU 1 is interrupted (see time t30), and the function of the engine ECU 1 is stopped.

  Thereafter, when the key switch is switched from the off state to the on state, the CPUs 21 and 31 execute processing by reading the control programs from the ROMs 22 and 32, respectively.

  In the engine ECU 1 configured as described above, the ROM 22 stores an electronic throttle control program, an injector control program, a spark plug control program, and an EGR valve control program. The ROM 32 stores an electronic throttle control program, an electric fan control program, and a main relay control program.

  Further, in the engine ECU 1, first, the main core 11 performs processing according to the electronic throttle control program, injector control program, spark plug control program, and EGR valve control program stored in the ROM 22 (S20, S500, S1010). The sub-core 12 performs processing according to the electronic throttle control program, the electric fan control program, and the main relay control program stored in the ROM 32 (S20, S500, S1010). When a request for rewriting the electronic throttle control program is received (S30: YES), and when the engine is stopped and the vehicle is stopped (S150: YES), the electronic throttle stored in the ROM 22 is stored. The control program and the electronic throttle control program stored in the ROM 32 are rewritten (S420). Further, when a program rewrite request for a control program other than the electronic throttle control program in the main core 11 is received (S60: YES), and when the engine is stopped and the vehicle is stopped (S150: YES), Alternatively, when the vehicle is in the idle operation state and the vehicle is in a stopped state (S170: YES), the control program for which a program rewrite request has been made is rewritten (S450). Further, when a program rewrite request for a control program other than the electronic throttle control program in the sub-core 12 is received (S90: YES), and when the engine is stopped and the vehicle is stopped (S150: YES), or When the vehicle is in the idle operation state and the vehicle is stopped (S170: YES), the control program for which the program rewrite request has been made is rewritten (S480).

  As described above, the rewriting of the electronic throttle control program stored in the ROM 22 and the ROM 32 is executed when the engine is stopped and the vehicle is stopped. For this reason, during rewriting of the electronic throttle control program, rewriting of the electronic throttle control program is interrupted due to power interruption or the like, whereby the contents of the electronic throttle control program stored in the ROM 22 and the ROM 32 are stored. Even if the situation of the stored electronic throttle control program is different, since the engine is stopped at this time, the main core 11 and the sub-core 12 perform processing according to the electronic throttle control program. not going. Therefore, due to interruption of rewriting of the electronic throttle control program, the content of processing performed by the main core 11 according to the electronic throttle control program and the content of processing performed by the sub-core 12 according to the electronic throttle control program are different. It is possible to avoid a situation in which an abnormality occurs in the operation of the engine.

  Further, the engine ECU 1 rewrites the injector control program, spark plug control program, and EGR valve control program (hereinafter also referred to as a main-side non-locking step correspondence program) stored in the ROM 22, the electric fan control program stored in the ROM 32, and Rewriting of the main relay control program (hereinafter also referred to as a sub-side non-locking step compatible program) is not only performed when the engine is stopped and the vehicle is stopped, but also when the engine is operating and the vehicle is stopped. It is also executed when For this reason, it is possible to shorten the time for stopping the vehicle and further stopping the engine in order to rewrite the main-side non-lock step corresponding program and the sub-side non-lock step corresponding program, improving the convenience for the vehicle user. Can be made.

  For example, when the engine is stopped and the vehicle is stopped, the key switch is turned off while at least one of the main-side non-lock step corresponding program and the sub-side non-lock step corresponding program is being rewritten. The engine can be started when the engine is switched from on to off. For example, when both the electronic throttle control program and the non-lock step corresponding program are rewritten, the non-lock step corresponding program can be rewritten before the engine is stopped. For this reason, compared with the case where both the electronic throttle control program and the non-lock step corresponding program are rewritten after the engine is stopped, the time for which the engine is stopped to rewrite the control program can be shortened.

  As described above, according to the engine ECU 1, with respect to processing executed by both the main core 11 and the sub-core 12, that is, processing with high importance, the occurrence of a situation in which an abnormality occurs in engine operation due to rewriting of the control program is avoided. In addition, the process executed by one of the main core 11 and the sub-core 12, that is, the process of relatively low importance, is controlled even when the engine is running and the vehicle is stopped. The convenience of the vehicle user can be improved by enabling the rewriting of the program.

  In the engine ECU 1, the electronic throttle control program stored in the ROM 22 and the main-side non-locking step corresponding program stored in the ROM 22 are stored in the RAM 23, the electronic throttle control program stored in the ROM 32, and the ROM 32. Is stored in the RAM 33 (S290). The main core 11 is compatible with the electronic throttle control program stored in the RAM 23 and the main non-locking step when at least rewriting the electronic throttle control program or rewriting the main non-locking step compatible program. By reading the program, processing is performed in accordance with the electronic throttle control program and the main-side non-lock step correspondence program. In addition, the sub-core 12 at least performs rewriting of the electronic throttle control program or rewriting of the sub-side non-locking step compatible program, and the electronic throttle control program and the sub-side non-locking step corresponding program stored in the RAM 33. Is read out in accordance with the electronic throttle control program and the sub-side non-lock step corresponding program.

  Thus, the engine ECU 1 can rewrite the electronic throttle control program, the main-side non-lock step corresponding program, and the sub-side non-lock step corresponding program while continuing to execute the process for controlling the engine.

  The engine ECU 1 also rewrites the electronic throttle control program rather than the main side non-lock step corresponding program when both the electronic throttle control program and the main side non-lock step corresponding program can be rewritten. In addition to giving priority (S410, S440), when both the rewriting of the electronic throttle control program and the rewriting of the sub-side non-locking step compatible program are possible, the electronic throttle control is performed rather than the rewriting of the sub-side non-locking step compatible program. Prioritizing program rewriting (S410, S470).

  This suppresses the occurrence of a situation in which rewriting of the electronic throttle control program permitted when the engine is stopped and the vehicle is stopped is not executed when the engine is stopped and the vehicle is stopped. Can do. On the other hand, the rewriting of the program corresponding to the non-lock step is executed also when the engine is running and the vehicle is stopped. For this reason, when both the electronic throttle control program and the non-lock step corresponding program are rewritten, it is possible to shorten the time required to complete the rewriting of both programs as much as possible. Therefore, the updated control program can be used at the earliest possible time, and convenience for the vehicle user can be improved.

  Further, when the engine is operating and the engine is not in an idle state (S140: NO, S170: NO), the engine ECU 1 prohibits rewriting of the main-side non-lock step corresponding program and the sub-side non-lock step corresponding program. .

  As a result, when the engine speed is high, that is, when the processing load of the engine ECU 1 is high, it is possible to avoid a situation in which the rewriting of the control program is further performed, and the processing load of the engine ECU 1 is reduced. Increase can be suppressed.

  Further, the engine ECU 1 determines whether or not the RAMs 23 and 33 are malfunctioning (S120). If the RAMs 23 and 33 are malfunctioning (S130: YES), the electronic throttle control program, the main-side non-locking step correspondence program In addition, rewriting of the program corresponding to the sub-side non-locking step is prohibited. As a result, when the control program is rewritten while the process for controlling the engine is continued, the reliability of the engine control can be improved.

  The engine ECU 1 executes an electronic throttle control program on both the main core 11 and the sub core 12. Thereby, the reliability of the electronic throttle control that has a great influence on the engine operation can be improved.

  In the embodiment described above, the engine ECU 1 is the electronic control device in the present invention, the ROM 22 is the first storage unit in the present invention, the ROM 32 is the second storage unit in the present invention, and the processes of the CPU 21 and S20, S500, S1010 are in the present invention. The first process execution means, the CPU 31 and the processes of S20, S500, S1010 are the second process execution means in the present invention, the process of S420 is the first rewrite means in the present invention, the process of S450 is the second rewrite means in the present invention, S480. Is the third rewriting means in the present invention, the electronic throttle control program is the first control program in the present invention, the main side unlock step corresponding program is the second control program in the present invention, and the sub side unlock step corresponding program is in the present invention. Is the third control program in

  The RAMs 23 and 33 are memories in the present invention, the process in S290 is storage means in the present invention, the processes in S410, S440, and S470 are priority means in the present invention, the process in S170 is the first prohibition means in the present invention, and the process in S120. Is the failure determination means in the present invention, and the processing of S130 is the second prohibition means in the present invention.

As mentioned above, although one Embodiment of this invention was described, this invention is not limited to the said embodiment, As long as it belongs to the technical scope of this invention, a various form can be taken.
For example, in the above-described embodiment, the electronic throttle control program is executed by both the two cores 11 and 12, but the electronic throttle control program may be executed by three or more cores.

  In the above embodiment, the control programs are stored in the ROMs 22 and 32, respectively. However, the control programs executed by the cores 11 and 12 may be stored in one ROM.

  In the above-described embodiment, the lock step corresponding program is an electronic throttle control program. However, the lock step corresponding program may be a control program other than the electronic throttle control program.

DESCRIPTION OF SYMBOLS 1 ... Engine ECU, 11 ... Main core, 12 ... Sub core, 21 ... CPU, 22 ... ROM, 31 ... CPU, 32 ... ROM

Claims (6)

An electronic control device (1) for controlling a vehicle engine,
A first storage unit (22) for storing a first control program provided for controlling the engine and a second control program provided for controlling the engine and different from the first control program;
A second storage unit (32) for storing the first control program and a third control program provided to control the engine and different from the first control program and the second control program;
First processing execution means (21, S20, S500, S1010) for performing processing according to the first control program and the second control program stored in the first storage unit;
Second process execution means (31, S20, S500, S1010) for performing processing according to the first control program and the third control program stored in the second storage unit;
When the first rewriting request for requesting rewriting of the first control program is acquired, the first storage unit stores the information when the engine is stopped and the vehicle is stopped. A first rewriting means (S420) for rewriting the first control program and the first control program stored in the second storage unit;
In the case where a second rewriting request for requesting rewriting of the second control program is acquired, the engine is stopped and the vehicle is stopped, or the engine is operating and the vehicle Is rewritten, the second rewriting means (S450) for rewriting the second control program stored in the first storage unit,
When the third rewriting request for requesting rewriting of the third control program is acquired, the engine is stopped and the vehicle is stopped, or the engine is operating and the vehicle is stopped. An electronic control device comprising: third rewriting means (S480) for rewriting the third control program stored in the second storage unit when the computer is stopped. Rewritable memory (23, 33);
The first control program stored in the first storage unit, the second control program stored in the first storage unit, the first control program stored in the second storage unit, and the Storage means (S290) for storing the third control program stored in the second storage unit in the memory;
The first process execution means executes at least the first control program and the second control program stored in the memory when the first rewrite means or the second rewrite means is executing rewrite. By reading, processing is performed according to the first control program and the second control program,
The second process execution means executes at least the first control program and the third control program stored in the memory when the first rewrite means or the third rewrite means is executing rewrite. The electronic control device according to claim 1, wherein the electronic control device performs processing according to the first control program and the third control program by reading. When both the execution of the first rewriting means and the execution of the second rewriting means are possible, the execution of the first rewriting means is prioritized over the execution of the second rewriting means, and the first rewriting means And priority means (S410, S440, S470) that prioritizes execution of the first rewriting means over execution of the third rewriting means when both execution of the first rewriting means and execution of the third rewriting means are possible. The electronic control device according to claim 1 or 2, wherein The first prohibiting means (S170) for prohibiting execution of the second rewriting means and the third rewriting means when the engine is operating and the engine is not in an idle state. The electronic control device according to any one of claims 1 to 3. Failure determination means (S120) for determining whether or not the memory has failed;
And a second prohibiting unit (S130) for prohibiting execution of the first rewriting unit, the second rewriting unit, and the third rewriting unit when the failure determining unit determines that the memory is faulty. The electronic control device according to claim 2. The electronic control device according to any one of claims 1 to 5, wherein the first control program is a program for controlling an electronic throttle provided in the engine.