1. Field of the Invention
The present invention relates to an on-vehicle electronic control device, for example, an electronic control device incorporating a microprocessor used for performing fuel supply control for a vehicle engine, control of a throttle valve for air supply, or the like.
2. Description of the Related Art
In such an on-vehicle electronic control device as described above, as an anomaly diagnosis for a microprocessor that functions in cooperation with a program memory, runaway of the microprocessor is monitored using a watchdog timer, and program anomalies are monitored using a checksum.
Also, in an on-vehicle electronic control device equipped with an auxiliary microprocessor that is serially connected to the above-mentioned microprocessor and functions in cooperation with the microprocessor, a checksum is also performed on send/receive data in order to check communication data.
Up to now, there is proposed an “on-vehicle electronic control device” in which in order to self-check contents of a control program for a microprocessor by the microprocessor, the control program is divided into a plurality of segments to perform a checksum, thereby reducing a processing load of the microprocessor (see, for example, JP 2001-227402 A).
However, according to JP 2001-227402 A, there is a problem of degraded reliability in that an anomaly diagnosis for a program in question is performed based on the self-checking by the program in question per se. In addition, it is not guaranteed that the checksum is executed on a regular basis.
Up to now, there is proposed a “duplex asynchronous microcomputer system fault detector” in which a pair of microcomputers perform a checksum on one another, and upon detection of anomalies, stop watchdog signals corresponding to respective watchdog timers to cut off control outputs (see, for example, JP 06-259267 A).
According to JP 06-259267 A, there is a problem in that mutual transmission of data for a checksum cause an increase of input/output points of both the microcomputers. In addition, it is not guaranteed that the checksum is executed on a regular basis.
Further, up to now, there is proposed a “method of monitoring operations of two CPUs” which causes a system composed of two CPUs, a main CPU and a sub-CPU, to perform the following operations (see, for example, JP 05-081222 A). That is, in the case where the main CPU runs away out of control or is disabled, the two CPUs are both initiated and reactivated in response to a reset signal outputted from a watchdog timer circuit that is externally provided. In the case where the sub-CPU runs away out of control or is disabled, the main CPU monitors the fault, and a reset signal is outputted from the main CPU to the sub-CPU to initiate and reactivate the sub-CPU.
According to JP 05-081222 A, there is a problem in that if a microcomputer is reactivated in response to a reset pulse, a vehicle driver cannot recognize temporal occurrence of runaway of the microprocessor.
Meanwhile, up to now, there is proposed a “digital processor” in which when an anomaly is detected in a microcomputer by a watchdog timer, the operation of the microcomputer is completely stopped, and in order to recover the microcomputer, it is only after temporarily cutting off operational power supply to the microcomputer that the power is supplied again for the recovery (see, for example, JP 08-339308 A).
In this case, the microcomputer is not reactivated until a vehicle driver opens/closes a power switch. Thus, the above-mentioned digital processor has a feature that the vehicle driver can recognize the anomaly occurring in the microprocessor.
However, there is an inconvenience that a temporal malfunction due to noise forces a vehicle into stopping.
Further, up to now, there are proposed techniques related to the above such as an “input and output processing IC” (see, for example, JP 07-013912 A) and a “data communication equipment” (see, for example, JP 05-128065 A). JP 07-013912 A and JP 05-128065 A show that a microprocessor is serially connected with an input/output circuit and a slave microprocessor, respectively, and refer to a checksum with respect to serial communication data.
Also, there is proposed an “on-vehicle electronic control device” which relates to a pair of microprocessors performing serial communication with each other, and includes checksum means for communication data (see, for example, JP 07-269409 A).
The respective publications cited above relate strictly to a checksum involving communication data, and not to a checksum with respect to contents of a program memory.
All of the conventional techniques as described above have a problem in that cooperation and function allocation are not sufficiently realized when performing runaway monitoring and a checksum for a microprocessor and a program memory, and the functions individually processed fail to guarantee sufficient reliability of performance.