For fault detection of a microprocessor (microprocessing unit), typically, abnormality of the operation thereof is monitored using a watchdog timer.
Control devices are available that suitably reset a microprocessor when abnormality is generated during execution of normal operation of the microprocessor: apart from this action, such control devices may be provided with a watchdog timer that provides improved precision of resetting, so as to achieve appropriate resetting of the microprocessor even when abnormality is generated during execution of start-up processing. An example is disclosed in Laid-open Japanese Patent Application Tokkai 2007-226527 (hereinafter referred to as Patent Reference 1).
Microprocessor faults may be caused by program bugs, program falsification and software errors etc, and, in addition, may be caused by faults of the various constituent elements of the circuitry of the microprocessor.
In recent years, in safety devices such as control devices wherein a high level of safety is demanded, operation monitoring devices are being demanded that are capable of verifying normal operation of a device equipped with a microprocessor.
Accordingly, a microprocessor operation inspection system has been disclosed characterized in that it comprises: state changeover signal input means that receives input of a state changeover signal expressing transition of the state of the microprocessor in question, that is output from the microprocessor; state signal input means that receives input of a state signal expressing the current state of the microprocessor in question, that is output from the microprocessor; state storage means that stores the microprocessor state; state calculation means that calculates the new state that the microprocessor should adopt, from the microprocessor state stored in the state storage means and the state changeover signal; and inspection means that inspects the operation of the processor by comparing the new state that the microprocessor should adopt calculated by the state calculation means and the state of the microprocessor that was input through the state signal input means. This is disclosed in Japanese Patent Number 4359632 (hereinafter referred to as Patent Reference 2).
However, the microprocessor operation inspection system disclosed in Patent Reference 2 is subject to the problem that the construction of the operation detection circuitry is complicated, since it is necessary to incorporate in the operation inspection circuit a circuit that simulates beforehand the program that is being executed by the microprocessor, in the form of a state machine, and the new state that should be taken by the microprocessor must be calculated.
A further problem is that maintenance is complicated and troublesome, since it is necessary to alter the circuit that performs the simulation every time the program is altered.
Yet a further problem with this system is that, although it is possible to detect whether or not the start-up sequence of program tasks is normal, even if the sequence of loop start-ups is correct, the number of times of looping cannot be detected, so it is not possible to detect whether or not loop processing has been performed correctly for the preset number of times.
Also, there is the problem that when abnormality has occurred in the task start-up sequence, it is not possible to decide whether this represents abnormality of the microprocessor or abnormality of the operation inspection circuit.
According to an aspect of the present technology, a microprocessor operation monitoring system is provided whereby it is easy to define the new states that should be taken by the program that is being executed and whereby it is possible to decide not only the start-up sequence of program tasks but also whether or not loop processing has been correctly executed.
In order to achieve the above, a microprocessor monitoring system according to the present invention comprises: a microprocessor; and an operation monitoring device of abovementioned microprocessor, wherein:
abovementioned microprocessor comprises:
a computation section that executes a program;
a storage section that stores abovementioned program comprising a plurality of tasks; and
a task information communication section that generates a transition announcement signal that announces beforehand to abovementioned operation monitoring device, in synchronization with the execution of abovementioned task of abovementioned program that is executed by abovementioned computation section, a first task number that is to be started up and a second task number that is next to be started up, and a start-up signal that announces the task that is to be started up next, following this transition announcement signal;
abovementioned tasks comprise:
a start-up instruction arranged at the head-end of its own task, that reports start-up of its own task; the processing program of abovementioned task in question; and a transition announcement instruction that reports the task that is next to be started up after abovementioned task in question, arranged at the tail-end of abovementioned task in question;
abovementioned task information communication section
generates abovementioned start-up signal on receipt of abovementioned start-up instruction and generates abovementioned transition announcement signal on receipt of abovementioned transition announcement instruction; and
abovementioned operation monitoring device decides whether the start-up sequence of abovementioned tasks of abovementioned program are consistent or inconsistent by comparing abovementioned second task number included in abovementioned transition announcement signal and abovementioned first task number included in abovementioned start-up signal; and,
furthermore, if loop processing is present in abovementioned program, attaches to abovementioned transition announcement instruction the preset number of times of looping in respect of abovementioned second task that provides the commencement point of loop processing, and
abovementioned task information communication section attaches abovementioned number of times of looping to a transition announcement signal corresponding to this transition announcement instruction, and
abovementioned operation monitoring device
stores abovementioned number of times of looping of abovementioned first task number attached to abovementioned transition announcement signal and totals abovementioned number of times of looping every time abovementioned first task number is detected in abovementioned start-up signal of subsequent start-ups, and determines matching of this total value with the stored abovementioned number of times of looping; and constitutes its own task by associating beforehand the task number of the task that is next to be started up, for each of the tasks constituting the program and performs a comparative determination of matching of the announced task with the task that is thus started up, and thereby detects abnormality of operation of the microprocessor.
With the present invention, a microprocessor operation monitoring system can be provided wherein creation of the new state that will be taken by the program that is being executed can easily be achieved and wherein not merely the start-up sequence of tasks of the program but also whether or not loop processing has been correctly processed can be ascertained.