JPS61175824A - Malfunction preventing system of computer for automobile - Google Patents

Abstract

PURPOSE:To prevent a malfunction of an automobile-use computer by constituting it so that a state decision is executed before the interrupting inhibition, its processing branches to a malfunction countermeasure routine in case of an inhibited state, it returns to the regular processing routine after the countermeasure has been ended, and the interrupting inhibition is executed. CONSTITUTION:First of all, in a step S1, in a routine which has flowed and come by a regular processing, whether a flag of an interrupting inhibition is set or not is decided. Unless the flag is set, the processing enters into its original interrupting inhibition step S2, and subsequently, in a step 3, the processing in the interrupting inhibition state is executed, and in a step S4, the interrupting inhibition is released. In case it is decided to be the interrupting inhibition state in the step S1, the processing branches to a step S5, and in this step, a prescribed malfunction countermeasure routine is executed, the interrupting inhibition flag is reset to '0', and the processing is returned to an interruptable state. Subsequently, the processing enters into the step 2, therefore, at least before the prearranged interrupting inhibition, the interruptable state is held, therefore, a runaway of a CPU is prevented completely.

Description

[Detailed description of the invention] [Industrial application field]

The present invention relates to a system for preventing malfunctions of automobile computers.

[Conventional technology]

Electronic circuits, including control microcomputers, installed in automobiles are exposed to adverse environments such as temperature, humidity, vibration, and electrical noise, so advanced electronic technology is required. With regard to the destruction of electronic equipment, the technology to deal with it has improved significantly due to technological advances, and at this stage we are in a very satisfactory state using these technologies. cannot be said to have been fully resolved. In particular, in a microcomputer that sequentially executes long steps, the introduction of just one noise can cause it to go out of control, causing a serious situation such as a malfunction of the computer for the engine III all, causing the engine to stop while driving. It turns out. Therefore,
In order to avoid such worst-case situations, we often use filters to prevent noise from entering the electronic control section, and we install external watchdog circuits to periodically control specific output ports during computer software processing. Pulses in the "H91" state and "L" state are alternately outputted as a program run signal, and monitored by the watchdog circuit described above. When this stops, a "CPU runaway" is determined, and the CPU is run out of control.
Proposals have been made to reset the PU and other parts to restore the normal state. Recently, there have been dedicated ICs for the above-mentioned "watchdog circuit," and a microcomputer with an on-chip watchdog circuit has been announced, but the added circuitry increases the cost, and the problem of malfunction of the circuit itself is new. will occur. In particular, the decisive flaw of this system is that the normal state cannot be restored until after the malfunction of the CPU has an effect on the outside (until the watchdog circuit is activated). In the case of multitasking processing that can handle interrupts, if the interrupt disable flag is set due to a malfunction, the necessary interrupts will no longer be processed, causing serious problems such as loss of operational control. I wake up.

[Problems to be Solved by the Invention] Malfunctions of automobile control computers are extremely variable phenomena, and for example, malfunctions occur in one car out of every car.
This situation only occurs once every several hundred lv of driving, but based on the information obtained as a result of various tests, it has been found that immediately before a computer malfunctions, ignition noise, power surge, etc. cause the registers inside the CPU to It was found that this is due to changes in the retention content of . That is, C.P.L.
Although I am running a normal program,
Malfunctions occur as register contents change. In particular, this phenomenon is often observed in multitasking processing in which interrupt processing is performed in addition to the main routine. Therefore, the present invention eliminates ignition noise and
In anticipation of a case where an illegal signal is input due to a power surge, etc., and affects the register, and the interrupt disable flag is set, at least one step should be taken before disabling interrupts.
The present invention attempts to provide a malfunction prevention method for an automobile computer that uses a predetermined branch routine to release interrupts when they are incorrectly disabled, thereby enabling the necessary interrupt processing. .

[Means to solve the problem]

For this purpose, in a computer having a processing routine capable of processing interrupts, during the execution of a normal processing routine, before disabling interrupts, the present invention determines whether or not the processing routine is in an interrupt-disabled state. If it is in a prohibited state, the process branches to a predetermined malfunction countermeasure routine, and after executing the malfunction countermeasure routine, returns to the normal processing routine.
This is characterized by disabling interrupts.

【Example】

An embodiment of the present invention will be described below with reference to FIGS. 1 and 2. FIG. 1 shows an example of an automobile-mounted computer that implements the present invention, and is used, for example, for engine control such as fuel injection 1 ignition control, or medium speed control. In FIG. 1, reference numeral 1 indicates various sensors that supply necessary control parameters to the CPU 6, and these sensors 1 are connected to the input/output crab unit 5 via the input interface 3. Reference numeral 2 denotes various control actuators, which are driven by drive signals output from the input/output crab unit 5 via the output interface 4. The input/output crab unit 5 is connected to the CPU 6 via a pass line 9, and the CPU 6 processes the output of the sensor 1 and outputs commands for driving various actuators 2. Also, in cpu,
Interrupt 1!1i110 is connected from input/output crab unit 5, and c
It is possible to request interrupt processing to pua. In addition, code 8 is a ROM containing the processing procedure of CPLI6.
1 is a RAM used for temporarily saving data, etc.
and are connected to the CPU 6 via path lines 9, respectively. The input/output crab unit 5 is usually configured with a general-purpose LSI and has a programmable option in which multiple functions are selected by software. Function is uniquely determined. Next, the malfunction prevention method according to the present invention will be specifically explained using FIG. 2. First, in step S1, it is determined whether or not an interrupt prohibition flag is set in the routine that has flowed through normal processing. If the flag is not set, interrupts are not prohibited, so the processing routine assumes that it is operating normally and enters the original step S2, which disables interrupts, and then performs processing with interrupts disabled in step S3. , the interrupt prohibition is canceled in step S4. Such temporary interrupt disabling measures are necessary when handling two-word length data, for example. If it is determined in step S1 that interrupts are disabled, that is, if an illegal signal is input to the register due to ignition noise or power surge, and an interrupt disable flag is set, the process branches to step S5. Then, a predetermined malfunction countermeasure routine is executed, the interrupt prohibition flag is returned to "O", and the state is returned to an interrupt-enabled state. Since the process then enters step S2, the interrupt-enabled state is maintained at least before the scheduled interrupt is disabled, so it is possible to completely prevent the CPU from running out of control.

【Effect of the invention】

As described in detail above, the present invention checks the interrupt disable flag before disabling scheduled interrupts in the processing routine, and when the contents of the register change due to an invalid signal, the interrupt disable flag is set. In this case, the interrupt request is canceled and the interrupt is enabled before the next interrupt disable process is started. This can prevent malfunctions that could cause serious problems. Moreover, unlike conventional external circuits, there is no need for an external circuit, so there is no cost increase.

[Brief explanation of the drawing]

FIG. 1 is a block diagram of the configuration of a computer for implementing the method of the present invention, and FIG. 2 is a diagram showing an example of a flowchart for implementing the method. 1... Sensor, 2... Actuator, 3... Input interface, 4... Output interface,
5... Input/output crab knit, 6... cpu, y...R
AM, 8...ROM, 9...Pass line, 10...
・Interrupt line. Patent Attorney Susumu Murai Figure 1

Claims (1)

[Claims] In a computer that has a processing routine capable of handling interrupts, during the execution of a normal processing routine, before interrupts are disabled, it is determined whether or not the processing routine is in an interrupt-disabled state, and if the processing routine is in a disabled state, a predetermined 1. A method for preventing malfunction of a computer for an automobile, characterized in that the method branches to a malfunction prevention routine, and after executing the malfunction prevention routine, returns to a normal processing routine and disables interrupts.