JPH10177504A - Electronic controller - Google Patents

Abstract

PROBLEM TO BE SOLVED: To enable an electronic controller which is constituted in such a way that one microcomputer monitors another microcomputer to write a control program in the monitored microcomputer even after a control program is written in the monitoring microcomputer. SOLUTION: In an ECU 82 which is provided with such two microcomputers 18 and 26 that usually execute control programs stored in their own flash memories and, when a prescribed writing voltage VPP is supplied and an external code is matched with their own codes, write writing data supplied from the outside in their own flash memories after updating the data and is constituted so that one microcomputer 18 can monitor the control program executing state of the other microcomputer 26 and, when the occurrence of abnormality is discriminated, can output a reset signal R2a to the microcomputer 26, a circuit 78a which inhibits the input the reset signal R2a to the microcomputer 26 when the writing voltages VPP are supplied to the microcomputers 18 and 26 is provided.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an electronic control device having a plurality of microcomputers, and more particularly to an electronic control device capable of writing a control program and control data to each microcomputer on board.

[0002]

2. Description of the Related Art Conventionally, for example, Japanese Patent Laid-Open No. 2-99746
As disclosed in Japanese Patent Application Laid-Open Publication No. H10-175, as an electronic control device for a vehicle, an electrically rewritable EEPR is used.
A microcomputer having a non-volatile memory such as an OM or a flash EEPROM (hereinafter referred to as a flash memory) is provided so that control programs and control data stored in the non-volatile memory can be rewritten even after being supplied to the market. What has been proposed.

That is, in this type of electronic control device, a microcomputer normally controls a control target such as an engine by executing a control program constituted by data stored in a nonvolatile memory. On the other hand, when rewriting data in the nonvolatile memory (the control program and the control data referred to when the program is executed), a separately prepared memory writing device is connected to the electronic control device. The memory writing device and the microcomputer are connected via a communication line. Then, when a predetermined rewriting condition is satisfied, the microcomputer receives write data (that is, data constituting a new control program or control data) transmitted from the memory writing device and writes the received write data. Write data, for example, updating the embedded data to the nonvolatile memory and writing the updated data.

Therefore, according to such an electronic control device, it is possible to perform a so-called on-board write, in which a control program and control data are updated and written in a nonvolatile memory of the microcomputer mounted on the device. Therefore, even if a situation in which the operation content (control content) needs to be changed for some reason occurs after the supply to the market, it can be easily dealt with.

According to such an on-board writable electronic control device, a microcomputer is mounted on the device in the manufacturing process, and then a control program and control data are newly written in the nonvolatile memory. be able to.

[0006]

In recent years, electronic control devices of this type have been mainly equipped with a plurality of microcomputers in accordance with complicated control contents. It is conceivable that the apparatus is configured to enable on-board writing for each of the plurality of microcomputers.

In general, in an electronic control device equipped with a microcomputer, in order to ensure control safety, the microcomputer monitors whether or not the control program is normally executed. When an abnormality occurs, it is necessary to reset (initialize) the microcomputer.

[0008] In the case of an electronic control unit equipped with a plurality of microcomputers, a specific microcomputer operates according to the operation of another microcomputer (that is, whether or not the control program is normally executed by that microcomputer. ) May be monitored to perform an operation for resetting the other microcomputer when an abnormality is detected. In other words, with such a configuration, it is not necessary to provide a hardware circuit such as a so-called watchdog timer circuit for monitoring the operation of each microcomputer, and it is possible to secure control safety with a simple device configuration. Because.

However, in the electronic control unit, as described above, each of the plurality of microcomputers can perform on-board writing, and a specific microcomputer monitors the operation of another microcomputer. In such a case, the following problem occurs.

That is, in the manufacturing process of the electronic control device,
After mounting each microcomputer, first, a new control program is written in a microcomputer that monitors another microcomputer (hereinafter, also referred to as a monitoring microcomputer), and then the microcomputer that is monitored (hereinafter, referred to as a monitoring microcomputer). When a new control program is to be written to the monitored microcomputer, the monitored microcomputer executes the already written control program and performs the normal operation, whereas the monitored microcomputer executes the normal control program. Since the writing process is performed without performing the process, the monitoring microcomputer determines that the monitored microcomputer is abnormal. As a result, the writing process is performed (in other words,
The microcomputer to be monitored (while the control program or the like is being written) is reset by the operation of the monitoring microcomputer, and it becomes impossible to reliably write the control program or the like.

The present invention focuses on such a problem. In an electronic control device in which one microcomputer monitors the operation of another microcomputer, the electronic control unit is controlled by a microcomputer to be monitored. First, even if the control program is written in the monitoring microcomputer, the control program can be surely written in the monitored microcomputer so that one microcomputer can be connected to the other microcomputer. It is an object of the present invention to reliably balance the monitoring of the microcomputer with the on-board writing of the control program for each microcomputer.

[0012]

Means for Solving the Problems and Effects of the Invention The electronic control unit according to the present invention according to the first aspect of the present invention, which has been made to achieve the above object, uses an electrically rewritable nonvolatile memory. And a first and a second microcomputer.

In a normal state, the first microcomputer controls a control target by executing a first control program constituted by data stored in its own nonvolatile memory, and controls the second microcomputer. The computer controls the control target by executing the second control program including the data stored in the nonvolatile memory of the computer. Further, the first microcomputer monitors whether or not the second control program is normally executed by the second microcomputer in accordance with the execution of the first control program. When it is determined that an abnormality has occurred in the execution of the second control program, an operation for resetting the second microcomputer is performed. Therefore, without providing a dedicated hardware circuit for monitoring the operation of the second microcomputer, it is possible to avoid program runaway in the second microcomputer and to ensure control safety.

On the other hand, each of the two microcomputers
When a predetermined rewriting condition is satisfied, a write process for updating and writing the write data transmitted from the outside to its own non-volatile memory is performed. , Monitoring operation inhibiting means. The monitoring operation preventing means prevents the second microcomputer from being reset by the operation of the first microcomputer while the second microcomputer is performing the writing process.

For this reason, in the manufacturing process of the electronic control device, after each microcomputer is mounted, first, the configuration data of the first control program is stored in the first microcomputer (specifically, its non-volatile memory). Is newly written, and subsequently, the configuration data of the second control program is newly written in the second microcomputer (specifically, the nonvolatile memory thereof) to be monitored. This prevents the second microcomputer during the writing process from being reset by the operation of the first microcomputer on the monitoring side.

Therefore, according to the electronic control device of the present invention,
As described in claim 4, even if the control program (first control program) is written in the first microcomputer on the monitoring side before the second microcomputer on the monitoring side, The control program (second control program) can be reliably written in the second microcomputer to be monitored, and the control program can be written in any order in each of the two microcomputers. , Writing can be performed reliably. As a result, it is possible to ensure that one microcomputer monitors another microcomputer and that the control program can be written on-board for each microcomputer.

In the case where the rewritable nonvolatile memory is, for example, an EEPROM or a flash memory, a predetermined write higher than the normal operating voltage is applied to the microcomputer at the time of new writing or rewriting of data. It is necessary to supply voltage.

Therefore, in the electronic control device of the present invention,
3. The monitoring operation according to claim 2, wherein the second microcomputer is configured to perform the write processing on condition that at least a predetermined write voltage is supplied. The blocking means detects whether or not the write voltage is supplied to the second microcomputer, and when the write voltage is supplied, the second microcomputer operates by the first microcomputer. Can be prevented from being reset.

According to the electronic control device of the second aspect, whether the second microcomputer is performing the writing process can be easily detected without providing any special processing or circuit. can do. Claim 3
If the first microcomputer outputs a reset signal to the second microcomputer when the first microcomputer determines that an abnormality has occurred in the execution of the second control program, the monitoring operation inhibiting means By preventing a reset signal output from the first microcomputer from being input to the second microcomputer, the second microcomputer can be prevented from being reset.

With this configuration, when the second microcomputer performs the writing process, the first microcomputer performs the first writing.
Reset by the operation of the microcomputer can be reliably prevented. In this case, as the monitoring operation preventing means, a switching element or a logic circuit element for communicating and cutting off a signal line of a reset signal from the first microcomputer to the second microcomputer can be used. A certain effect can be obtained with the configuration.

On the other hand, as a more preferable electronic control device for achieving the above-mentioned object, an electronic control device according to claim 5 can be mentioned. That is, an electronic control unit according to a fifth aspect includes a system monitoring unit and a blocking unit in addition to the first and second microcomputers similar to the electronic control unit according to the first embodiment. In accordance with execution of the first control program stored in its own nonvolatile memory, the first microcomputer outputs a monitor signal indicating that it is normal within a predetermined period of time, and outputs the second microcomputer. The computer monitors whether or not the second control program in the nonvolatile memory is normally executed, and when it is determined that an abnormality has occurred in the execution of the second control program, the monitor signal is output. Stop.

The system monitoring means monitors the monitor signal output from the first microcomputer, and if the monitor signal is not output within a set time longer than the predetermined time, the first monitor is used. And a reset signal to both the second microcomputer.

Still further, the blocking means prevents the microcomputers from being reset by the system monitoring means while at least one of the microcomputers is performing the writing process. According to the electronic control device of the fifth aspect, at the normal time when the two microcomputers are not performing the writing process, not only when the first microcomputer itself has an abnormality, but also when the second microcomputer is in an abnormal state. Even when an abnormality occurs in the computer and the first microcomputer detects the abnormality, the output of the monitor signal by the first microcomputer is stopped, and accordingly, the system monitoring means resets both microcomputers. A signal is output. Therefore, abnormalities in both microcomputers during normal times can be detected and avoided by only one system monitoring means.

Further, when at least one of the two microcomputers is performing the writing process, the operation of the blocking means prevents the two microcomputers from being reset by the system monitoring means. Therefore, according to the electronic control device of the fifth aspect, even if the control program is written to each of the two microcomputers in any order, the writing can be performed reliably, and With an extremely simple configuration, it is possible to simultaneously monitor both microcomputers and enable on-board writing of a control program for each of both microcomputers.

In the electronic control device according to the fifth aspect, as described in the sixth aspect, both microcomputers perform the writing process on condition that at least a predetermined writing voltage is supplied. In the case where the write voltage is supplied, the blocking unit detects whether or not the write voltage is supplied to at least one of the two microcomputers. The microcomputer may be configured to prevent resetting of both microcomputers by the system monitoring means.

With this configuration, the same effect as that of the electronic control device according to the second aspect, that is, a special process or a circuit is provided to determine whether one of the two microcomputers is performing the writing process. And the effect of easy detection can be obtained. In the electronic control device according to the fifth or sixth aspect, the blocking means prevents the reset signal output from the system monitoring means from being input to both microcomputers. Thus, if both microcomputers are configured to be prevented from being reset, similar to the above-described electronic control device according to claim 3, when either of the microcomputers performs the writing process, Reset can be reliably prevented.

On the other hand, in the electronic control device according to the fifth or sixth aspect, as set forth in the eighth aspect, the system monitoring means performs a counting operation at regular intervals and outputs from the first microcomputer. And a reset signal output means for outputting a reset signal to both microcomputers when the count value of the counter reaches a predetermined value. Microcomputer executes the first control program in its own non-volatile memory, and instructs the counter to have a period shorter than the time from when the count value of the counter is initialized to when it reaches the predetermined value. With the configuration of outputting the monitor signal, the blocking means forcibly stops the counting operation of the counter. By causing, it can be both the microcomputer is configured to prevent the reset.

That is, in the electronic control device according to the eighth aspect, the system monitoring means is a so-called watchdog timer circuit, and the microcomputer is reset by stopping the counting operation of the watchdog timer counter. The output of the signal is prohibited. According to this electronic control device, resetting of both microcomputers can be prevented with a simple configuration.

[0029]

Embodiments of the present invention will be described below with reference to the drawings. Note that the embodiment of the present invention
It goes without saying that the present invention is not limited to the following ones, but can take various forms as long as it belongs to the technical scope of the present invention.

[First Embodiment] First, FIG. 1 shows an electronic control unit (hereinafter referred to as an ECU) 2 mounted on a vehicle and controlling an internal combustion engine and an automatic transmission, and an ECU 2.
A memory writing device 4 connected to the ECU 2 when rewriting or newly writing control programs and control data for engine control and automatic transmission control built in
It is a block diagram showing the whole structure of the memory rewriting system of the electronic control unit of 1st Embodiment which consists of these.

As shown in FIG. 1, the ECU 2 includes a waveform shaping circuit 10 for inputting signals from various sensors 8 for outputting pulse signals and on / off signals according to the rotation state of the engine and shaping the waveform. An input circuit 14 for inputting signals from various analog sensors 12 that output analog signals according to the intake air amount of the engine, the throttle opening, and the like to remove noise, and convert the analog signals from the input circuit 14 into digital signals. A / D converter (ADC) that converts and outputs
And an engine control unit for calculating a control amount such as a fuel injection amount or an ignition timing for the engine based on signals from the waveform shaping circuit and the A / D converter and outputting a control signal based on the calculation result. A chip microcomputer (hereinafter referred to as a main microcomputer or simply a microcomputer) 18 and an output circuit 20 which receives a control signal from the main microcomputer 18 and drives an actuator 22a such as an injector or an igniter attached to the engine.
a.

Further, the ECU 2 transmits and receives control information such as a throttle opening and a torque control signal to and from the main microcomputer 18 via a DMA (Direct Memory Access) communication line 24, and controls the shift timing of the automatic transmission. A single-chip microcomputer (hereinafter, referred to as a sub-microcomputer or simply a microcomputer) 26 for controlling the automatic transmission which outputs a control signal by calculating the operation of the microcomputer, etc. An output circuit 20b for driving an actuator 22b such as a gearshift linear solenoid.

The ECU 2 has a communication circuit 28 for each of the main microcomputer 18 and the sub-microcomputer 26 to perform serial data communication with the memory writing device 4 as an external device. Is a serial communication line 30 connected to the memory writing device 4 via a connector (not shown);
Serial communication line 32 commonly connected to
And is provided between them. The serial communication line 32
Is divided into a serial communication line 32a connecting the communication circuit 28 and the main microcomputer 18 and a serial communication line 32b connecting the communication circuit 28 and the sub-microcomputer 26 in the middle of the path from the communication circuit 28 to the microcomputers 18 and 26. ing.

The communication circuit 28 sends the data transmitted from the memory writing device 4 via the serial communication line 30 to the microcomputers 18 and 26 via the serial communication line 32. Is transmitted to the memory writing device 4 via the serial communication line 30.

The ECU 2 further includes a voltage (hereinafter referred to as a battery voltage) VB directly supplied from a battery BT mounted on the vehicle and a voltage (hereinafter, referred to as a battery voltage) supplied from the battery BT via an ignition switch IGS of the vehicle.
A power source that receives VIG (referred to as an IG voltage) and supplies various types of voltages to the microcomputers 18 and 26 and their peripheral circuits (such as the A / D converter 16 and the output circuits 20a and 20b) as described later. A circuit 34 is also provided.

The power supply circuit 34 includes a main microcomputer 1
8, a watchdog timer clear signal (hereinafter, referred to as a WDC signal) W1 as a monitor signal, which is output as described later, is input. Then, the power supply circuit 34
When the level of the WDC signal W1 from the main microcomputer 18 does not reverse within a preset time, it is determined that an abnormality has occurred in either the main microcomputer 18 or the sub-microcomputer 26 and the microcomputers 18 and 26 And a watchdog timer function for outputting a reset signal R1 for resetting them.

Next, the internal configuration of the main microcomputer 18 and the sub-microcomputer 26 mounted on the ECU 2 will be described with reference to FIG. As shown in FIG.
Each of the known CPUs operates according to a program.
And a non-volatile flash memory 42 for storing programs and data necessary for operating the CPU 40
A mask ROM 44; a RAM 46 for temporarily storing the calculation results of the CPU 40; and an I / O (not shown) for inputting and outputting signals.

Here, the flash memory 42 is a nonvolatile memory capable of rewriting data (specifically, erasing and writing data) while a predetermined write voltage (7.5 V in this embodiment) VPP is applied. ROM. The flash memory 42 of each of the microcomputers 18 and 26 has an EC
In the manufacturing process of U2, both microcomputers 18 and 26 are ECU
2, the control program for engine control or automatic transmission control executed by the CPU 40 and the control data referred to at the time of execution are newly written. More specifically, a control program for engine control and data constituting control data are newly written in the flash memory 42 of the main microcomputer 18, and a control program and a control program for automatic transmission control are stored in the flash memory 42 of the sub-microcomputer 26. Data constituting the control data is newly written.

The control program for engine control written in the flash memory 42 of the main microcomputer 18 outputs to the power supply circuit 34 a WDC signal W1 whose signal level is inverted every predetermined time TS1 (4 ms in this embodiment). And a sub-microcomputer 2
And a monitoring processing program for monitoring the operation of the sub-microcomputer 26.
In order to output the WDC signal W2 whose signal level is inverted every predetermined time period TS2 (in this embodiment, 4 ms equal to the time period TS1) to the main microcomputer 18 as shown in FIG. A signal output program is included.

In the following description, if there is no description that a control program or the like is to be newly written in the flash memory 42, the roles of the microcomputers 18 and 26 are stored in the flash memories 42 of the microcomputers 18 and 26. It is assumed that the above-described control program and control data respectively corresponding to have been already written.

On the other hand, the mask ROM 44 is a nonvolatile ROM in which data cannot be rewritten.
In 44, a boot program to be executed immediately after reset (initialization) of the microcomputers 18 and 26 is released is stored in advance before the microcomputers 18 and 26 are mounted on the ECU 2.

The mask RO of both microcomputers 18 and 26 is used.
In M44, an identification code capable of identifying the main microcomputer 18 and the sub-microcomputer 26 is stored in advance, and in the present embodiment, the identification code of the main microcomputer 18 is “0”.
001 ”and the identification code of the sub-microcomputer 26 is“ 0 ”.
010 ".

The mask ROMs of the microcomputers 18 and 26
The processing contents of the boot programs stored in the respective 44 are the same. Further, instead of the mask ROM 44, a nonvolatile ROM in which data can be electrically rewritten similarly to the flash memory 42 may be used as long as the data rewriting is prohibited.

On the other hand, inside the microcomputers 18 and 26, the serial communication line 32 (specifically,
In the case of the main microcomputer 18, the serial communication line 32
a, and in the case of the sub-microcomputer 26, it is a serial communication line 32b. Similarly, an electrical path for receiving serial data from the serial communication line 32 is
A switch element SW2 for communicating or shutting off in response to a command from U40 is provided.

As shown in FIG. 1, the main microcomputer 18 and the sub-microcomputer 26 have the above-mentioned write voltage necessary for writing data to the flash memory 42 from the power supply circuit 34 via the common power supply line 38. VPP is supplied. Then, as shown in FIG. 2, inside the microcomputers 18 and 26, the electrical path for receiving the write voltage VPP from the power supply line 38 is also connected or cut off according to a command from the CPU 40. A switching element SW3 is provided. The initial states of the switch elements SW1 to SW3 are all communication states.

In both the microcomputers 18 and 26, the CPU 40 sets the mask RO immediately after the reset is released.
Start execution of the boot program in M44, and
At the normal time when the memory writing device 4 is not connected to the U2, the control program in the flash memory 42 (in the case of the main microcomputer 18, the control program for engine control,
Then, a control program for controlling the engine or the automatic transmission is performed by calling the control program for controlling the automatic transmission) and executing the control program.

Further, the sub-microcomputer 26 executes the control program for controlling the automatic transmission (more specifically, the above-described signal output program included therein),
A WDC signal W2 whose signal level is inverted every predetermined time TS2 is output to the main microcomputer 18. Further, the main microcomputer 18 executes the control program for controlling the engine (specifically, the above-described signal output program and monitoring processing program included therein), and executes the power supply circuit 34.
WDC signal W whose signal level is inverted every predetermined time TS1
1 and monitors the WDC signal W2 from the sub-microcomputer 26, and the WDC signal W2
If the level is not inverted within the determination time TH2 (> TS2) longer than S2, it is determined that an abnormality has occurred in the execution of the control program in the sub-microcomputer 26, and the own WDC signal to the power supply circuit 34 The level inversion output of W1 is stopped.

On the other hand, the CPUs 40 of the microcomputers 18 and 26
When the execution of the boot program is started, if it is determined that the writing mode is set as described later, the execution of the boot program is continued without immediately calling the control program in the flash memory 42. The write data transmitted from the writing device 4 (that is, data forming a new control program and control data to be written in the flash memory 42) is stored in the flash memory 4
Then, a write process for updating and writing to 2 is performed. And
After this writing process is completed, a new control program written in the flash memory 42 is called, and the same process as in the above-described normal operation is performed.

Next, a power supply circuit 34 provided in the ECU 2
Will be described with reference to FIG. FIG.
As shown in (2), the power supply circuit 34 receives two PNP transistors Tr1 and Tr2 for outputting a constant voltage and an IG voltage VIG supplied when the ignition switch IGS is turned on, and receives the two microcomputers 18 and 26 from the transistor Tr1.
A main power supply generating unit 50 for supplying a predetermined operating voltage (5 V in this embodiment) VOM to each peripheral circuit such as the A / D converter 16 and the like, and a battery voltage VB constantly supplied from the battery BT. From the transistor Tr2 to the microcomputers 18 and 26, a backup voltage (5V which is the same as the operation voltage VOM in the present embodiment) VOS
And a sub-power supply creating unit 52 for constantly supplying the power.

It should be noted that the backup power supply VOS is always supplied to the microcomputers 18 and 26 by providing the sub power supply generator 52 in the present embodiment. This is because a part of the storage area is set as a standby RAM that retains data continuously even when the ignition switch IGS is turned off. Transistor Tr2
Can be omitted.

The power supply circuit 34 receives write enable signals K1 and K2, which are selectively output from the memory writing device 4, through two signal lines 36a and 36b, as described later. Either one of the write enable signals K1 and K2 is input, and the ignition switch IG
While the operating voltage VOM is being output with the turning on of S,
The above-described write voltage VPP is generated from the battery voltage VB or the IG voltage VIG, and the write voltage VPP is supplied to the power supply line 3.
8 (and, consequently, both microcomputers 18 and 26).

Further, the power supply circuit 34 outputs the WDC signal W1 from the main microcomputer 18 for the above-mentioned predetermined time period TS1.
A watchdog detecting section 56 for detecting whether or not the level has been inverted within a longer set determination time TH1 (>TS1);
When it is detected that the level of the C signal W1 has not been inverted within the determination time TH1, and when the ignition switch I
When GS is turned on and the operating voltage VOM rises, a high active reset signal R1 is output to the main microcomputer 18 and the sub-microcomputer 26, and both microcomputers 1 and 2 are activated.
And a reset control unit 58 for resetting the control signals 8 and 26.

Here, the watchdog detector 56 includes a watchdog counter 56a that performs an up-count operation at regular intervals TC by a clock signal from a not-shown transmission circuit, and a WDC signal W from the main microcomputer 18.
Each time 1 changes the level, the watchdog counter 56
an edge detection circuit 56b that outputs a pulse signal for resetting the counter a (that is, clearing the count value of the watchdog counter 56a to zero);
b and the write voltage VPP from the write voltage generator 54. When the write voltage VPP is not output from the write voltage generator 54, the edge detection circuit 56b
Resets the watchdog counter 56a every time the pulse signal is output from the OR circuit 56c. When the write voltage VPP is output from the write voltage generator 54, the watchdog counter 56a is continuously reset.
It is composed of

When the count value of the watchdog counter 56a reaches the overflow value M, the reset control section 58 outputs the WDC signal W from the main microcomputer 18.
1 determines that the level has not been inverted within the determination time TH1, and outputs a reset signal R1 to both microcomputers 18 and 26. It should be noted that a time period (TC × X) obtained by multiplying the constant cycle TC at which the watchdog counter 56a performs the up-counting operation by the overflow value M of the watchdog counter 56a.
M) is the determination time TH1.

Therefore, when the write voltage VPP is not output from the write voltage generator 54, the main microcomputer 18
When the level of the WDC signal W1 is not inverted within the determination time TH1, the microcomputers 18 and 26 are reset by the reset control unit 58.
4 outputs the write voltage VPP, the OR circuit 56c keeps resetting the watchdog counter 56a and forcibly stops its up-counting operation.
Reset of 8, 26 is prevented.

On the other hand, the power supply circuit 34 has an IG voltage VIG
A low-voltage detecting unit 60 for detecting that the output voltage of the battery BT has dropped based on the low-voltage detecting unit 60, which is not shown in FIG. A notification signal DI is output from 60 to at least one of the main microcomputer 18 and the sub-microcomputer 26. Next, the memory writing device 4 mainly includes a well-known microcomputer having a CPU, a ROM, a RAM, and the like.
It is connected to the ECU 2 via a connector (not shown). At the time of this connection, the memory writing device 4
, A serial communication line 30 of the ECU 2;
It is connected to two signal lines 36a and 36b extending from the power supply circuit 34 (write voltage generator 54).

Although not specifically shown, the memory writing device 4 writes data into a flash memory 42 of the main microcomputer 18 and the sub-microcomputer 26, such as a start switch for operating the device. In addition to a selection switch for selecting the data, a storage such as a ROM or a floppy disk storing data to be written and data to be transmitted to the ECU 2 (data constituting a new control program and control data). A medium and a display unit for displaying various messages are provided.

In the storage medium, the write data to be transmitted to the ECU 2 and the microcomputer (the main microcomputer 18 and the sub microcomputer 2) to which the write data is to be written are written.
6) is stored. Also, needless to say, the write data to be written to the flash memory 42 of the main microcomputer 18 includes a signal output program for the main microcomputer 18 to output the WDC signal W1 to the power supply circuit 34, and the operation of the sub-microcomputer 26. And a write processing to be written to the flash memory 42 of the sub-microcomputer 26 includes a signal output for the sub-microcomputer 26 to output the WDC signal W2 to the main microcomputer 18. Program is included.

Next, in the memory rewriting system according to the first embodiment, processing executed by the memory writing device 4 and E
The processing executed by the microcomputers 18 and 26 of the CU 2 will be described with reference to the flowcharts of FIGS.
FIG. 4 is a flowchart showing the processing executed by the memory writing device 4. FIG. 5 shows both microcomputers 1.
8 is a flowchart showing processing executed in each of steps 8 and 26, and includes steps (hereinafter simply referred to as “S”) 20
The processes of 0 to S260 are executed by the boot program in the mask ROM 44, and the process of S270 is executed by the control program in the flash memory 42. FIG. 6 is a flowchart showing a sub-microcomputer monitoring process executed by the main microcomputer 18 to monitor the operation of the sub-microcomputer 26 by using a monitoring process program included in the control program in the flash memory 42. is there.

First, in the memory writing device 4, when the above-mentioned start switch is turned on after being connected to the ECU 2 by an operator, the microcomputer provided therein becomes
The execution of the processing shown in FIG. The main microcomputer 18
When newly writing data to the flash memory 42 or rewriting already stored data, the main microcomputer 18 is previously selected as a data writing target by the selection switch, and the storage medium includes: It is assumed that the identification code of the main microcomputer 18 and the write data to be written to the flash memory 42 are stored. Similarly, the sub microcomputer 26
When newly writing data to the flash memory 42 or rewriting already stored data, the sub-microcomputer 26 is previously selected as a data writing target by the selection switch, and the storage medium includes It is assumed that the identification code of the sub-microcomputer 26 and the write data to be written to the flash memory 42 are stored.

As shown in FIG. 4, when the execution of the processing is started on the memory writing device 4 side, in the first step S100, the main microcomputer 18 is selected as a data writing target by the selection switch. Has a signal line 36a
Outputs a high active write enable signal K1
When the sub-microcomputer 26 is selected as a data write target, it outputs a high active write enable signal K2 to the signal line 36b. When either of the write permission signals K1 and K2 is output from the memory writing device 4 to the ECU 2 as described above, the power supply circuit 3 on the ECU 2 side is output.
4 (write voltage generation unit 54) is in a state where the write voltage VPP can be supplied to both microcomputers 18 and 26.

At S110, the identification code and the write data stored in the storage medium are read, and the read identification code and the write data are read by the ECU.
2 via the serial communication line 30.
In this transmission operation, first, the identification code is transmitted to the ECU 2, and then the write data is transmitted.

Then, as described later, the write data transmitted in S110 is stored in both microcomputers 1 on the ECU 2 side.
8 and 26, the data is updated and written in the flash memory 42 to which the data is to be written.
Since the written data is read out from the U2 side and returned, the data from the ECU 2 is received in the subsequent S120, and the write data stored in the storage medium is further transmitted in the next S130. The data from the ECU 2 received in S120 is verified (compared).

Then, in subsequent S140, the above S130
Is determined, and if the write data stored in the storage medium and the data from the ECU 2 match, the data transmitted in S110 to the flash memory 42 of the microcomputer to which the data is to be written is transmitted. It is determined that the write data has been correctly written, and the process proceeds to S150.
Then, in S150, the signal line 36 is set in S110.
a, 36b output to the write enable signal K1,
K2 is returned to the low level, and the process is thereafter terminated.

On the other hand, if it is determined in S140 that the write data stored in the storage medium and the data from the ECU 2 do not match, the flow shifts to S160, and the data write fails. Is displayed on the above-mentioned display unit, and then the process is terminated.

Next, on the ECU 2 side, when the ignition switch IGS is turned on, each of the two microcomputers 18 and 26 starts operating from the reset state by the operation of the reset control unit 58 of the power supply circuit 34 described above. The processing shown in FIG. 5 is executed. That is, each C of both microcomputers 18 and 26
The PU 40 first starts executing the boot program stored in the mask ROM 44, and first determines in S200 whether or not the write voltage VPP is supplied from the power supply circuit 34 via the power supply line 38.

At this point, when the ignition switch IGS is turned on, the memory writing device 4 is connected to the ECU 2 and, at the same time, S10 in FIG.
0, the write enable signal K from the memory writer 4
If either one of K1 and K2 is output, the write voltage VPP is supplied from the write voltage generator 54 of the power supply circuit 34 to the microcomputers 18 and 26 via the power supply line 38. An affirmative determination is made (it is determined that the write voltage VPP is being supplied).

Therefore, if an affirmative determination is made in S200, the process proceeds to the next S210, and the above-described S1 in FIG.
Receiving the identification code transmitted from the memory writing device 4 via the serial communication line 30 by the process of 10;
In subsequent S220, it is determined whether or not the received identification code and the own identification code stored in mask ROM 44 match.

If it is determined in S220 that the two identification codes match, it is determined that the writing mode is not the normal operation mode, and the flow advances to the next S230. Then, in S230, as described above, write data (data constituting a control program or control data) transmitted from the memory writing device 4 following the identification code is received, and the received write data is written. The data is updated and written in the flash memory 42. And further, S
At 240, all the data written to the flash memory 42 at S230 is read, and the
Send to

Then, in S240, the memory writing device 4
As described above, the data transmitted to the ECU 2 is compared with the write data stored in the storage medium on the memory writing device 4 side. It is determined that the writing has been completed successfully,
The write enable signals K1 and K2 output to CU2 return to the low level. Accordingly, on the ECU 2 side, the write voltage generator 54 of the power supply circuit 34 sets the write voltage VPP
Stop supplying.

Then, at S250, the power supply circuit 34
Waits until the supply of the write voltage VPP from the memory is stopped, and when it is determined that the supply of the write voltage VPP is stopped, it is determined that the write data from the memory writing device 4 has been correctly written in the flash memory 42. Judge, and proceed to the next S260.

Then, in S260, the process jumps to the control program in the flash memory 42, and in S23
The execution of the control program written in the flash memory 42 in the process of 0 is started. As a result, the operation shifts to a normal operation, and the control processing for controlling the engine is performed in the case of the main microcomputer 18 as shown in S270 of FIG. For example, a control process for controlling the automatic transmission is performed.

On the other hand, if it is determined in S200 that the write voltage VPP is not supplied, it is determined that the normal operation mode is set, and the process proceeds to S260 without executing the processes in S210 to S250. . That is, in a normal state where the write permission signals K1 and K2 are not output from the memory writing device 4 to the ECU 2, the execution of the control program already written in the flash memory 42 is immediately started.

Even if it is determined in S200 that the write voltage VPP is supplied, in S220, the identification code from the memory writing device 4 and the identification code stored in the mask ROM 44 are stored. If it is determined that the codes do not match, it is determined that the microcomputer to which the data is to be written is not the user (in other words, the microcomputer other than the user is the data to be written), and the process proceeds to S280. I do. Then, in S280, all three switch elements SW1 to SW3 shown in FIG. 2 are turned off (OFF state), and then the process proceeds to S260.

That is, in the ECU 2 of this embodiment, the two microcomputers 18 and 26 are connected to one serial communication line 3.
0 and 32 are shared to perform serial data communication with the memory writing device 4, so that when a microcomputer other than itself determines that data is being written, the switching element SW1 , SW2 by itself interrupting the electrical connection with the serial communication line 32 to forcibly prohibit communication to its own serial communication line 32, and then execute the control program already written in the flash memory 42. It starts. Thus, it is possible to reliably prevent the reception data of the microcomputer on which data is being written from being destroyed by the transmission data of the other microcomputer. The connection with the power supply line 38 is also cut off by the switch element SW3 in order to reliably prevent data from being erroneously written to the flash memory 42 of the microcomputer to which data is not written. is there.

Here, when the sub-microcomputer 26 starts executing the control program stored in the flash memory 42, thereafter, the above-described signal output program is executed at predetermined time intervals TS2 (4 ms). Then, a WDC signal W2 whose signal level is inverted every time TS2 is output from the sub microcomputer 26 to the main microcomputer 18.

When the execution of the control program stored in the flash memory 42 is started in the main microcomputer 18 as well, a signal output program is thereafter executed every predetermined time TS1 (4 ms), and the main From the microcomputer 18 to the watchdog detector 56 of the power supply circuit 34
, A WDC signal W1 whose signal level is inverted every time TS1 is output.
At 8, a monitoring process program for monitoring the operation of the sub-microcomputer 26 is executed alternately with the signal output program, whereby the sub-microcomputer monitoring process shown in FIG. 6 is performed every 4 ms.

That is, as shown in FIG. 6, in this sub-microcomputer monitoring process, first in S310, the sub-microcomputer 26
Signal level of the WDC signal W2 from the
V) or low level (0 V), and determines whether the signal level detected this time matches the signal level detected in the previous process.

Here, as described above, the sub microcomputer 2
The level of the WDC signal W2 from the node 6 is inverted every 4 ms.
Since the control program is executed every ms, if the control program is normally executed by the sub-microcomputer 26, the signal level detected this time should be different from the signal level detected last time.

Therefore, if it is determined in S310 that the signal level detected this time does not match the signal level detected last time, it is determined that the sub-microcomputer 26 is operating normally. Proceeding to S320, the value of a counter memory (hereinafter simply referred to as a counter) set in a predetermined area of the RAM 46 is cleared.

On the other hand, if it is determined in S310 that the signal level detected this time matches the signal level detected last time, there is a possibility that an abnormality has occurred in the sub-microcomputer 26. The process proceeds to S330, and the value of the counter is incremented.

Then, after the counter is cleared in S320 or the counter is incremented in S330, the process proceeds to S340, and the W detected this time in S310 is detected.
The signal level of the DC signal W2 is stored in the RAM 46 for reference in the next S310, and in the subsequent S350, it is determined whether or not the value of the counter is equal to or more than a predetermined value N (22 in the present embodiment). . Note that the time obtained by multiplying the predetermined value N by the execution cycle of the sub-microcomputer monitoring process (TS2 × N = 4)
(ms × 22) is the above-described determination time TH2.

Here, if the counter value is not equal to or greater than the predetermined value N (S350: NO), the sub-microcomputer monitoring process is terminated as it is, but if the counter value is equal to or greater than the predetermined value N (S350: YES). Then, it is determined that an abnormality has occurred in the sub-microcomputer 26, and the process proceeds to S360, in which the execution of the signal output program is prohibited, and the level of the own WDC signal W1 is inverted and output to the power supply circuit 34. Stop being done. Then, in S370, after the value of the counter is cleared, the sub-microcomputer monitoring process is terminated.

In the ECU 2 according to the first embodiment, when the control programs stored in the flash memories 42 of the microcomputers 18 and 26 are normally executed, as shown in FIG. A WDC signal W2 whose level is inverted every predetermined time TS2 (4 ms) is output from the sub-microcomputer 26 to the main microcomputer 18 and the WD
Similarly to the C signal W2, the WD inverts the level from the main microcomputer 18 to the power supply circuit 34 every predetermined time TS1 (4 ms).
C signal W1 is output.

Each time the level of the WDC signal W1 is inverted, the watchdog detector 56 of the power supply circuit 34
The watchdog counter 56a is an edge detection circuit 56b
Is reset by a pulse signal from the power supply circuit and the above operation is repeated.
No output continues.

On the other hand, when an abnormality occurs in the sub microcomputer 26 and the level inversion of the WDC signal W2 from the sub microcomputer 26 to the main microcomputer 18 is stopped as shown in FIG. In S350 of the sub-microcomputer monitoring process executed by the microcomputer 18, an affirmative determination is made after the lapse of a predetermined determination time TH2 (= TS2 × N = 4ms × 22). The level inversion of the WDC signal W1 to 34 stops. Then, the count value of the watchdog counter 56a in the power supply circuit 34 overflows,
A reset signal R1 is output from the reset control unit 58 to both the microcomputers 18 and 26.

When an abnormality occurs in the main microcomputer 18 itself, the WD from the main microcomputer 18 to the power supply circuit 34
Even when the level inversion of the C signal W1 is stopped, the count value of the watchdog counter 56a overflows, and the reset control unit 58 sends the two microcomputers 18 and 26.
Reset signal R1 is output.

Therefore, even if the program runaway occurs in either of the microcomputers 18 and 26, the microcomputer 1
8 and 26 are immediately reset and the operation is restarted from the initial state, and the safety of control is ensured. Next, the operation of newly writing a control program and control data in the flash memory 42 of each of the microcomputers 18 and 26 or rewriting the already written control program and control data will be described. The case where a control program and control data for automatic transmission control are newly written in the flash memory 42 of the sub-microcomputer 26 in a situation where a control program and control data for engine control have already been written in the sub-microcomputer 26 will be described. .

In this case, the operator first stores “00” corresponding to the sub-microcomputer 26 in the storage medium of the memory writing device 4.
The identification code “10” and write data to be written to the flash memory 42 of the sub-microcomputer 26 are stored in advance. Then, the memory writing device 4 is connected to the ECU 2,
The sub-microcomputer 26 is selected as a data writing target by the selection switch of the memory writing device 4, then the start switch of the memory writing device 4 is turned on, and the ignition switch IGS of the vehicle is turned on to reset the ECU 2 to the initial state. Operate from

Then, since write enable signal K2 is output from memory writing device 4 to ECU 2 via signal line 36b (S100), when the ignition switch IGS is turned on, the power supply circuit 34 The write voltage VPP is supplied from the input voltage generator 54 to the microcomputers 18 and 26 via the power supply line 38. While the write voltage VPP is being output from the write voltage generator 54, the watchdog counter 56a is continuously reset by the OR circuit 56c in the watchdog detector 56 of the power supply circuit 34. The resetting of the microcomputers 18 and 26 by the operations of the watchdog detection unit 56 and the reset control unit 58 is prevented.

Then, from the memory writing device 4 to the ECU 2
The identification code and the write data stored in the storage medium are sequentially transmitted to the microcomputer (S110). On the ECU 2 side, each of the microcomputers 18 and 26 executes the boot program stored in the mask ROM 44 to execute the boot program. Writing device 4
Is received via the serial communication line 30, the communication circuit 28, and the serial communication line 32 (S200: YES, S210), and the received identification code and the identification stored in its own mask ROM 44 are received. The code is compared with the code (S220).

Then, in the main microcomputer 18,
If the two identification codes do not match (S220: NO), all of the switch elements SW1 to SW3 are cut off, and the electrical connection between the main microcomputer 18 and the serial communication line 32 and the power supply line 38 is cut off (S280). Then, the control program in the flash memory 42 is executed (S260).

On the other hand, in the sub-microcomputer 26, since both identification codes match (S220: YE
S), only this sub-microcomputer 26 is
Is received, and the received write data is updated and written in the flash memory 42 (S230).

Thereafter, the serial communication line 32, the communication circuit 28,
Then, the data written in the flash memory 42 is transmitted via the serial communication line 30 (S240),
In the memory writing device 4, the master write data stored in the storage medium and the data from the sub-microcomputer 26 are verified (S130). If the result of the verification is good (S140: YES), the write enable signal K2 output from the memory writing device 4 returns to a low level (S150), and accordingly, the power supply circuit 34 on the ECU 2 side. Then, the supply of the write voltage VPP to the microcomputers 18 and 26 is stopped.

Then, the sub-microcomputer 26 also starts executing the control program written in the flash memory 42 (S250: YES, S260).
In the watchdog detector 56 of the power supply circuit 34,
The continuous reset of the watchdog counter 56a by the OR circuit 56c is released, and the ECU 2 operates the watchdog detector 56 and the reset controller 5 of the power supply circuit 34.
The operation of 8 returns the microcomputers 18 and 26 to a resettable state, that is, a normal state in which the operations of the microcomputers 18 and 26 can be monitored.

Then, in this state, the new writing of the control program and control data to the sub-microcomputer 26 is completed. The flash memory 4 of the sub-microcomputer 26
The case of rewriting the control program and the control data already written in 2 is exactly the same as the case of the new writing described above. When writing a new control program and control data into the flash memory 42 of the main microcomputer 18 or rewriting a previously written control program and control data,
The storage medium of the memory writing device 4 stores an identification code of “0001” corresponding to the main microcomputer 18 and write data to be written to the flash memory 42 of the main microcomputer 18, and , The main microcomputer 18 may be selected as a data write target.

On the other hand, in the first embodiment, the main microcomputer 18 corresponds to the first microcomputer,
The sub-microcomputer 26 corresponds to a second microcomputer. The OR circuit 56c of the watchdog detection unit 56 corresponds to a monitoring operation inhibiting unit or an inhibiting unit. The watchdog detection unit 5 of the power supply circuit 34
6 and the reset control unit 58 correspond to the system monitoring means, the watchdog counter 56a of the watchdog detection unit 56 corresponds to the counter, and the reset control unit 5
Reference numeral 8 corresponds to a reset signal output unit.

As described in detail above, the EC of the first embodiment is
In U2, the main microcomputer 18 is connected to the flash memory 42
By executing the control program in the sub microcomputer 2
In step 6, the control program monitors whether or not the control program in the flash memory 42 is normally executed. If an abnormality is detected in the sub-microcomputer 26, the sub-microcomputer 26 resets itself to detect the watchdog of the power supply circuit 34. Part 5
6, the level inversion of the WDC signal W1 output to the microcomputer 6 is stopped.
6, the OR circuit 56c forcibly stops the up-counting operation of the watchdog counter 56a.
The reset signal R1 is not output to the signal lines 8 and 26.

For this reason, the sub-microcomputer 26 performs a writing process for writing data to the flash memory 42 (S2
10 to S250), the main microcomputer 1
The monitoring operation 8 prevents the sub-microcomputer 26 from being reset.

Therefore, in the manufacturing process of the ECU 2, after the microcomputers 18 and 26 are mounted, first, a control program and control data are newly written in the flash memory 42 of the main microcomputer 18 and thereafter monitored. In the case where the writing order such that the control program and the control data are newly written in the flash memory 42 of the sub-microcomputer 26 on the side is adopted, the sub-microcomputer 26 during the writing process is also Reset by the operation of the microcomputer 18 is prevented.

Therefore, according to the ECU 2 of the first embodiment, even if the control program and the like are written in each of the two microcomputers 18 and 26 in any order, the writing can be reliably performed and monitored. Even if there is a restriction that the control program must be written in the monitoring main microcomputer 18 before the monitoring sub microcomputer 26, the control program and the control data are surely written in the monitored sub microcomputer 26. be able to. As a result, the main microcomputer 18 becomes
Monitoring of the operation and enabling the on-board writing of the control program for each of the microcomputers 18 and 26 can be reliably achieved at the same time.

Also, in the ECU 2 of the first embodiment, when the level inversion of the WDC signal W1 from the main microcomputer 18 is stopped, the watchdog detection unit 5 in the power supply circuit 34
6 and the reset controller 58, the microcomputers 18, 2
6, a reset signal R1 is output.

Therefore, an abnormality in the microcomputers 18 and 26 during normal operation can be detected and avoided by a set of hardware circuits including the watchdog detector 56 and the reset controller 58. Monitoring of the operation and rewriting of the control program and control data stored in the flash memory 42 of each of the microcomputers 18 and 26 can be reliably achieved with a simple configuration.

In the first embodiment, the up-counting operation of the watchdog counter 56a is forcibly stopped to prevent the microcomputers 18 and 26 from being reset. A switching element or a logic circuit element is provided on the signal line of the reset signal R1 reaching the microcomputers 18 and 26, and the signal line is cut off by the element when the write voltage VPP is output from the write voltage generator 54. Alternatively, it may be configured to hold the data at a low level (passive level).

[Second Embodiment] Next, in the memory rewriting system of the second embodiment, the ECU differs from the ECU 2 of the first embodiment in the following points (1) and (2). ing. Note that the memory writing device 4 is the same as that of the first embodiment. Further, in the second embodiment, the same members as those of the first embodiment are denoted by the same reference numerals, and detailed description thereof will be omitted.

(1) First, as shown in FIG. 8, in the ECU 62 of the second embodiment, the main microcomputer 18 determines whether or not the WDC signal W2 from the sub-
When the level is not inverted within H2, the own WDC signal W
Instead of stopping the level inversion output of No. 1, it outputs a high active reset signal R2a for resetting the sub-microcomputer 26.

For this reason, in the sub-microcomputer monitoring process performed by executing the monitoring program in the main microcomputer 18, as shown in FIG. 10, the processes of S300 and S375 are added to the process shown in FIG. In addition, the processing of S365 is performed instead of S360 of FIG.

That is, in the sub-microcomputer monitoring process of the second embodiment, first, in S300, it is determined whether or not the sub-microcomputer 26 is being reset, that is, the reset signal R
It is determined whether or not 2a is currently output. If the reset signal R2a has been output, the flow shifts to S375, in which the output of the reset signal R2a is stopped (returned to a low level) in order to release the reset of the sub-microcomputer 26, and thereafter, the sub-microcomputer monitoring is performed. The process ends.

Further, the reset signal R2a is obtained in S300.
If it is determined that is not output, the processes of S310 to S350 are executed as in the case of the first embodiment. If it is determined in S350 that the value of the counter is equal to or more than the predetermined value N, it is determined that an abnormality has occurred in the sub-microcomputer 26, and the flow advances to S365 to reset the reset signal R2a to reset the sub-microcomputer 26. (To high level), the counter is cleared in the subsequent S370, and the sub-microcomputer monitoring process ends.

When the level of the WDC signal W2 from the sub-microcomputer 26 is not inverted within the determination time TH2 by the sub-microcomputer monitoring process, the main microcomputer 18 performs the time corresponding to the execution cycle of the process. (4
ms), the reset signal R2a is output at the high level.

(2) Next, as shown in FIG. 8, the ECU 62 according to the second embodiment includes a power supply circuit 34 according to the first embodiment.
Power supply circuit 74 in place of the main microcomputer 1
The reset signal R2a output from 8 is input to the sub-microcomputer 26 as the reset signal R2b via the power supply circuit 74.

The power supply circuit 74
Has a sub-microcomputer reset control unit 78 added to the power supply circuit 34 of the first embodiment, as shown in FIG. The added sub-microcomputer reset control unit 78 outputs a reset signal R2a from the main microcomputer 18.
And the write voltage VPP from the write voltage generator 54, and when the write voltage VPP is not output from the write voltage generator 54, the reset signal R2a is directly used as the reset signal R2b by the sub-microcomputer 26. When the write voltage VPP is output from the write voltage generator 54, the AND circuit 78a holds the reset signal R2b to the sub-microcomputer 26 at a low level (passive level) irrespective of the signal level of the reset signal R2a. It is constituted by.

Therefore, when the write voltage VPP is not output from the write voltage generator 54, the main microcomputer 18
When the high-level reset signal R2a is output from the sub-microcomputer 26, the sub-microcomputer 26 is reset by the reset signal R2b. When the write voltage VPP is output from the write voltage generator 54, the AND circuit 78a Since the reset signal R2b to the sub-microcomputer 26 is held at low level (in other words, the reset signal R2a output from the main microcomputer 18 is prevented from being input to the sub-microcomputer 26), The reset of the sub-microcomputer 26 is prevented.

The AND circuit 78a, like the reset control unit 58, sets the reset signal R2b to the sub-microcomputer 26 to high level when the ignition switch IGS is turned on and the operating voltage VOM of the microcomputers 18 and 26 rises. A function to operate the sub-microcomputer 26 from the initial state is also provided.

That is, in the ECU 62 of the second embodiment, when an abnormality occurs in the main microcomputer 18, only the main microcomputer 18 is reset by the watchdog detection unit 56 and the reset control unit 58 of the power supply circuit 74, and When an abnormality occurs in the microcomputer 26, only the sub-microcomputer 26 is reset by the main microcomputer 18. Then, when the AND circuit 78a forming the sub-microcomputer reset control unit 78 outputs the write voltage VPP from the write voltage generation unit 54, the reset signal R2a output from the main microcomputer 18 is input to the sub-microcomputer 26. Function as a means for preventing monitoring operation.

Therefore, the EC according to the second embodiment is used.
U62 also prevents the sub-microcomputer 26 from being reset by the monitoring operation of the main microcomputer 18 while the sub-microcomputer 26 is performing the writing process for writing data to the flash memory 42.

Accordingly, also by the ECU 62 of the second embodiment, after the microcomputers 18 and 26 are mounted, first, a control program and control data are newly written in the flash memory 42 of the main microcomputer 18, and thereafter, When a write order such as newly writing a control program and control data to the flash memory 42 of the monitored sub-microcomputer 26 is adopted, the sub-microcomputer 26 during the writing process is The main microcomputer 18 monitors the operation of the sub-microcomputer 26 without being reset by the operation of the main microcomputer 18, and enables the on-board writing of the control program for each of the microcomputers 18 and 26. Can be reliably achieved.

[Third Embodiment] Next, in the memory rewriting system of the third embodiment, the ECU differs from the ECU 62 of the second embodiment in the following points.
Note that, in the third embodiment, the same members as those in the first and second embodiments are denoted by the same reference numerals, and a detailed description thereof will be omitted.

That is, the ECU 62 of the second embodiment described above.
Has a power supply circuit 74 in which an AND circuit 78a is added to the power supply circuit 34 of the first embodiment (in other words, although the AND circuit 78a is provided inside the power supply circuit 74), FIG. As shown, the ECU 8 of the third embodiment
In 2, the AND circuit 78a is provided outside the power supply circuit 34.

The same effects as those of the second embodiment can be obtained by the ECU 82 of the third embodiment. Further, according to such an ECU 82, even if the number of microcomputers becomes three or more due to a change in specifications or a difference in vehicle type, it can be dealt with only by adding a circuit similar to the AND circuit 78a, and the power supply circuit 34 is changed. There is also an advantage in that it is not necessary.

[Others] In the second and third embodiments, the reset circuit R2a output from the main microcomputer 18 is prevented from being input to the sub-microcomputer 26 by the AND circuit 78a. The microcomputer 18 may detect that the writing process is being executed by the sub-microcomputer 26 and stop outputting the reset signal to the sub-microcomputer 26.

More specifically, as shown in FIG. 12, when the main microcomputer 18 determines in S220 of the boot program that the identification code from the memory writing device 4 does not match its own identification code. After turning off the switch elements SW1 to SW3 in S280, additional S29
At 0, a flag indicating that the sub-microcomputer 26 is writing data is set, and the flag is referred to in the sub-microcomputer monitoring process of FIG. 10, and if the flag is set, the sub-microcomputer 26 , The output of the reset signal R2a may be inhibited.

The output inhibition state may be released when the ignition switch IGS is turned on again from off and the main microcomputer 18 starts operating from the initial state. That is, in this way, by turning on the ignition switch IGS again after the data writing of the sub-microcomputer 26 is completed, it is possible to return to the normal state in which the operation of the sub-microcomputer 26 can be monitored.

On the other hand, in each of the above embodiments, each of the microcomputers 18 and 26 has a flash memory (flash E) as an electrically rewritable nonvolatile memory.
EPROM) 42, but EEPROM
It may have M or another memory.

[Brief description of the drawings]

FIG. 1 is a block diagram illustrating an overall configuration of a memory rewriting system of an electronic control device according to a first embodiment.

FIG. 2 is a schematic configuration diagram illustrating an internal configuration of a main microcomputer and a sub-microcomputer of FIG. 1;

FIG. 3 is a schematic configuration diagram illustrating a configuration of a power supply circuit of FIG. 1;

FIG. 4 is a flowchart illustrating a process executed by the memory writing device according to the first embodiment.

FIG. 5 is a flowchart illustrating processing executed by a main microcomputer and a sub microcomputer according to the first embodiment.

FIG. 6 is a flowchart illustrating a sub-microcomputer monitoring process executed by the main microcomputer of the first embodiment.

FIG. 7 is a time chart for explaining the operation of the sub-microcomputer monitoring process of FIG. 6;

FIG. 8 is a block diagram illustrating an overall configuration of a memory rewriting system of an electronic control device according to a second embodiment.

9 is a schematic configuration diagram illustrating a configuration of a power supply circuit of FIG.

FIG. 10 is a flowchart illustrating a sub-microcomputer monitoring process executed by the main microcomputer of the second embodiment.

FIG. 11 is a block diagram illustrating an overall configuration of a memory rewriting system of an electronic control device according to a third embodiment.

FIG. 12 is a flowchart illustrating another embodiment.

[Explanation of symbols]

2, 62, 82 Electronic control unit (ECU) 4 Memory writing device 8 Sensor 10 Waveform shaping circuit 12 Analog sensor 14 Input circuit 16 A / D converter 18 Main microcomputer 20a, 20b Output Circuits 22a, 22b Actuator 24 DMA communication line 26 Sub-microcomputer 2
8 Communication circuit 30, 32, 32a, 32b Serial communication line 34, 74 Power supply circuit 36a, 36b Signal line 38 Power supply line 40 CPU 42 Flash memory 44 Mask ROM 46 RAM SW1 to SW
3 switch element 50 main power generator 52 sub power generator
54: writing voltage generating unit 56: watchdog detecting unit 56a: watchdog counter 56b: edge detecting circuit 56c: OR circuit 58
... Reset control unit 60 ... Low voltage detection unit 78 ... Sub-microcomputer reset control unit 78a ... AND circuit BT ... Battery IGS ... Ignition switch

Claims (8)

[Claims] 1. A nonvolatile memory having electrically rewritable non-volatile memory, and in a normal state, a control target is executed by executing a first control program including data stored in the non-volatile memory. A first microcomputer that performs a write process for controlling and writing externally transmitted write data to the non-volatile memory when a predetermined rewrite condition is satisfied; In addition to a non-volatile memory in which data can be rewritten in a non-volatile manner, a control target is controlled by executing a second control program composed of data stored in the non-volatile memory in a normal state. If the rewriting condition is satisfied, a write operation for updating and writing the externally transmitted write data to the nonvolatile memory is performed. A first microcomputer that executes the first control program, and the second microcomputer executes the second control program normally in response to the execution of the first control program. An electronic control device configured to monitor whether or not the second microcomputer has been executed and to perform an operation for resetting the second microcomputer when it is determined that an abnormality has occurred in the execution of the second control program. Monitoring operation preventing means for preventing the second microcomputer from being reset by the operation of the first microcomputer while the second microcomputer is performing the writing process; An electronic control unit characterized by the following. 2. The electronic control device according to claim 1, wherein the second microcomputer is configured to perform the write processing on condition that at least a predetermined write voltage is supplied. The monitoring operation preventing means detects whether or not the write voltage is supplied to the second microcomputer, and when the write voltage is supplied, the monitoring operation inhibiting means detects the write voltage of the first microcomputer. Preventing the operation of the second microcomputer from being reset by an operation. 3. The electronic control device according to claim 1, wherein the first microcomputer determines that an abnormality has occurred in the execution of the second control program. A reset signal for resetting the second microcomputer is output to the computer. The monitoring operation preventing means is configured to input the reset signal output from the first microcomputer to the second microcomputer. An electronic control unit, wherein the electronic control unit is configured to prevent the second microcomputer from being reset by preventing the second microcomputer from being reset. 4. The electronic control device according to claim 1, wherein data constituting the second control program is newly written in a nonvolatile memory of the second microcomputer. Wherein the data constituting the first control program is written in a nonvolatile memory of the first microcomputer. 5. A non-volatile memory having electrically rewritable data, and a control target which is normally executed by executing a first control program including data stored in the non-volatile memory. A first microcomputer that performs a write process for controlling and writing externally transmitted write data to the non-volatile memory when a predetermined rewrite condition is satisfied; In addition to a non-volatile memory in which data can be rewritten in a non-volatile manner, a control target is controlled by executing a second control program composed of data stored in the non-volatile memory in a normal state. If the rewriting condition is satisfied, a write operation for updating and writing the externally transmitted write data to the nonvolatile memory is performed. A first microcomputer that outputs a monitor signal indicating that the first microcomputer is normal within a predetermined period of time in accordance with the execution of the first control program. , The second
Monitoring whether or not the second control program is normally executed by the microcomputer, and when it is determined that an abnormality has occurred in the execution of the second control program, the output of the monitor signal is stopped; Further, the monitor signal output from the first microcomputer is monitored, and if the monitor signal is not output within a set time longer than the predetermined time, the two microcomputers are notified of the monitor signal. An electronic control device including a system monitoring unit that outputs a reset signal for resetting a computer, wherein at least one of the two microcomputers performs the writing process by the system monitoring unit. Blocking means for preventing the microcomputers from being reset. Child control device. 6. The electronic control device according to claim 5, wherein the two microcomputers are configured to perform the writing process on condition that at least a predetermined writing voltage is supplied, The blocking means detects whether or not the write voltage is supplied to at least one of the two microcomputers, and when the write voltage is supplied, the system monitoring means causes the two microcomputers to control the microcomputer. Preventing the computer from being reset. 7. The electronic control device according to claim 5, wherein the blocking unit prevents the reset signal output from the system monitoring unit from being input to the microcomputers. And an electronic control unit configured to prevent the microcomputers from being reset. 8. The electronic control device according to claim 5, wherein the system monitoring means performs a counting operation at regular intervals and uses the monitor signal output from the first microcomputer. A counter for resetting the count value; and reset signal output means for outputting the reset signal to the microcomputers when the count value of the counter reaches a predetermined value. Along with the execution of the first control program, the monitor outputs the monitor signal to the counter in a cycle shorter than a time period from when the count value of the counter is initialized to when the count value reaches the predetermined value, By forcibly stopping the counting operation of the counter, both microcomputers are reset. That it is configured to prevent the electronic control device according to claim.