1. Field of the Invention
This invention relates to an electronic control unit having multiple microprocessors, and particularly to an electronic control unit where on-board loading of a control program and control data into each of the microprocessors is possible.
2. Description of Related Art
As disclosed for example in Japanese Patent Application Laid-Open No. Hei 2-99746, electronic control units for vehicles have been proposed which include a microprocessor having a nonvolatile memory such as an EEPROM or a flash EEPROM (hereinafter referred to as a flash memory) electrically reloadable with data and are constructed so that a control program and control data stored in this nonvolatile memory can be reloaded even after the electronic control unit is supplied to the market.
In an electronic control unit of- this kind, during normal operation the microprocessor controls an object of control such as an engine by executing a control program made up of data stored in the nonvolatile memory. When the data (a control program and control data referred to in the execution of the control program) stored in the nonvolatile memory is to be reloaded, a separate memory loading unit is connected to the electronic control unit and the memory loading unit and the microprocessor are thereby connected by way of a communication line. Then, when predetermined reloading conditions are established, the microprocessor carries out a loading process wherein it receives load data (i.e., data constituting a new control program and new control data) transmitted to it from the memory loading unit and loads this load data into the nonvolatile memory as an update.
Therefore, with this kind of electronic control unit, because it becomes possible to carry out so-called onboard loading, in which a control program and control data are loaded into the nonvolatile memory of the microprocessor after the microprocessor has been mounted in the electronic control unit, even if it is necessary to change the content of the operation of the unit (the control content) after the unit is supplied to the market, this can be done easily.
Also, in the case of this kind of electronic control unit in which on-board loading is possible, in the process of manufacturing the unit it is possible to newly load a control program and control data into the nonvolatile memory of the microprocessor after the microprocessor is mounted in the unit.
However, in recent years, among electronic control units of this type, as their control content has become more complex, units having multiple microprocessors have become the norm, and there has been a need for this kind of electronic control unit to be constructed so that on-board loading is possible with respect to each of these multiple microprocessors.
Also, generally, in an electronic control unit having a microprocessor, to ensure safety of the control performed by the unit it is necessary to monitor whether or not the control program is being executed normally in the microprocessor and for the microprocessor to be reset (initialized) when an abnormality occurs.
In the case of an electronic control unit having multiple microprocessors, sometimes a specified microprocessor monitors the operation of another microprocessor (whether or not a control program is being executed normally by other than that microprocessor) and resets that other microprocessor when it detects a failure. If this kind of construction is employed, because it is not necessary to provide a hardware circuit such as a so-called a watchdog circuit for monitoring the microprocessor for each microprocessor, safety of control can be ensured with a simple unit construction.
However, when an electronic control unit in which on-board loading with respect to each of multiple microprocessors is possible as described above and also a specified microprocessor monitors the operation of another microprocessor, the following problem arises.
That is, in the process of manufacturing the electronic control unit, after the microprocessors are mounted, when first a control program and so on are newly loaded into a monitoring side microprocessor (hereinafter called the monitoring microprocessor) which is to monitor another microprocessor and then after that an attempt is made to newly load a control program and so on into a monitored side microprocessor (hereinafter called the monitored microprocessor), whereas the monitoring microprocessor executes the control program already loaded into it and performs its normal operation, the monitored microprocessor does not execute its normal control program and instead carries out a loading process, and consequently the monitored microprocessor is determined by the monitoring microprocessor to have suffered a failure. As a result, the monitored microprocessor performing the loading process (in other words in the process of loading a control program and so on) is reset by the operation of the monitoring microprocessor and it becomes impossible to carry out loading of the control program and so on with certainty.
Further, to satisfy the need for independent reloadability of multiple microprocessors by applying the related art disclosed in Japanese Laid-Open Patent Publication No. Hei 7-311603, it is conceivable to employ a method wherein for each microprocessor a communication circuit and a communication line for carrying out data communication between the microprocessor and external circuitry are provided and a memory loading unit is selectively connected exclusively to the communication circuit and the communication line corresponding to the microprocessor into which a control program and control data are to be reloaded.
However, when this kind of construction is used, data communication hardware such as a communication circuit must be provided for each microprocessor, and consequently the unit becomes large and its cost increases.
If, on the other hand, a construction is employed wherein all of the microprocessors mounted in the electronic control unit use a single communication line commonly to carry out data communication with external devices such as a memory loading unit, although less data communication hardware is required, when this kind of construction is adopted simply, the following problem arises.
That is, while reloading of data into the nonvolatile memory of any one microprocessor is being carried out, if another microprocessor transmits data to the communication line, the data being received by the microprocessor carrying out a loading process for data reloading is destroyed by the data transmitted from the other microprocessor and, as a result of this, incorrect data is loaded into the nonvolatile memory of the microprocessor that is the object of the data reloading.
It is therefore an object of the present invention to provide an electronic control unit in which one microprocessor monitors the operation of another microprocessor, and even when a control program is loaded into the monitoring microprocessor before a control program is loaded into the monitored microprocessor a control program can be loaded into the monitored microprocessor with certainty and thus both one microprocessor monitoring another microprocessor and the ability to carry out on-board loading of control programs into each of the microprocessors individually are realized with certainty at the same time.
An electronic control unit according to a first aspect of the present invention for achieving the above-mentioned object and other objects provided by the invention includes first and second microprocessors each having a nonvolatile memory electrically reloadable with data.
During normal operation, the first microprocessor controls an object of control by executing a first control program made up of data stored in its nonvolatile memory and the second microprocessor controls an object of control by executing a second control program made up of data stored in its nonvolatile memory. Also, as it executes the first control program, the first microprocessor monitors whether or not the second control program is being executed normally by the second microprocessor and when it determines that a failure has occurred in the execution of the second control program, resets the second microprocessor. In this way, without providing a hardware circuit dedicated to monitoring the operation of the second microprocessor, it is possible to avoid program runaway in the second microprocessor and ensure safety of control.
When a predetermined reloading condition is established, on the other hand, either of the two microprocessors can carry out a loading process for loading load data transmitted to it from outside into its nonvolatile memory as an update, and in this connection this first electronic control unit includes monitoring operation blocking means. This monitoring operation blocking means prevents the second microprocessor from being reset by the operation of the first microprocessor while the second microprocessor is carrying out the above-mentioned loading process.
As a result, in the process of manufacturing this electronic control unit, even when a loading order is employed wherein, after the microprocessors are installed, the constituent data of the first control program is newly loaded into the first microprocessor (specifically, into the nonvolatile memory thereof) first and then after that the constituent data of the second control program is newly loaded into the second microprocessor (specifically, into the nonvolatile memory thereof), which is the monitored side, whereby the second microprocessor in the process of carrying out a loading process being reset by the operation of the first microprocessor that is the monitoring side is prevented.
Therefore, with this electronic control unit of the invention, even when a control program (the first control program) is loaded into the first microprocessor that is the monitoring side before a control program is loaded into the second microprocessor that is the monitored side it is possible to load a control program (the second control program) into the second microprocessor that is the monitored side, with certainty and thus whatever the order in which the control programs are loaded into the two microprocessors, loading can be carried out with certainty. As a result, both one microprocessor monitoring another microprocessor and the ability to carry out on-board loading of control programs into each of the microprocessors individually can be realized with certainty at the same time.
If the above-mentioned nonvolatile memory electrically reloadable with data is, for example, an EEPROM or a flash memory, when newly loading or reloading data into the nonvolatile memory it is necessary for a predetermined loading voltage higher than a normal operating voltage to be supplied to the microprocessor.
In this connection, in this electronic control unit of this aspect of the present the invention, when the second microprocessor carries out the above-mentioned loading process with at least a predetermined loading voltage being supplied as a condition, as in a second electronic control unit provided by the invention the above-mentioned monitoring operation blocking means can be provided to detect whether or not the loading voltage is being supplied and, when the loading voltage is being supplied, prevent the second microprocessor from being reset by the operation of the first microprocessor.
With this electronic control unit, whether or not the second microprocessor is carrying out a loading process can be detected simply, without a special process or circuit being provided.
Also, if when determining that a failure has occurred in the execution of the second control program the first microprocessor outputs a reset signal to the second microprocessor, the above-mentioned monitoring operation blocking means can prevent the second microprocessor from being reset by preventing the reset signal outputted from the first microprocessor from being inputted into the storage medium.
When this is done, resetting of the second microprocessor by the operation of the first microprocessor when the second microprocessor is carrying out the above-mentioned loading process can be prevented with certainty.
As the monitoring operation blocking means in this case, a switching device or a logical circuit device for making breaking a signal line through which the reset signal is sent from the first microprocessor to the second microprocessor can be used, and a certain effect can thereby be obtained with a simple construction.
According to another aspect of the present invention, in addition to first and second microprocessors described above, there are provided system monitoring means and blocking means, and the first microprocessor, as it executes the first control program, outputs a monitor signal indicating that it is normal at predetermined intervals of and monitors whether or not the second control program in the nonvolatile memory of the second microprocessor is being executed normally by the second microprocessor, and when determining that a failure has occurred in the execution of this second control program stops outputting the monitor signal.
The system monitoring means monitors the monitor signal outputted from the first microprocessor, and when this monitor signal is not outputted within a time set longer than the above-mentioned predetermined time, outputs a reset signal to the both the first and second microprocessors.
Also, the blocking means prevents either of the two computers from being reset by the system monitoring means while either of the two microprocessors is carrying out the loading process.
With this electronic control unit, during normal operation, i.e., when neither of the two microprocessors is carrying out a loading process, not only when a failure occurs in the first microprocessor itself but also when a failure occurs in the second microprocessor and the first microprocessor detects that failure does the outputting by the first microprocessor of the above-mentioned monitor signal stop, and along with this a reset signal is outputted to both of the microprocessors from the system monitoring means. Thus, a failure occurring in either of the microprocessors during normal operation can be -detected and resolved with a single system monitoring means only.
Furthermore, when either or both of the microprocessors is carrying out a loading process, the action of the blocking means prevents either of the microprocessors from being reset by the system monitoring means.
Therefore, with this fifth electronic control unit, whatever the order in which the control programs are loaded into the two microprocessors, that loading can be carried out with certainty, and furthermore it is possible to realize both monitoring of both of the microprocessors and the ability to carry out on-board loading of control programs into each of the microprocessors individually with an extremely simple construction.
In the electronic control unit according to this aspect of the invention, when the microprocessors are constructed to carry out the above-mentioned loading process with at least a predetermined loading voltage being supplied as a condition, the blocking means can detect whether or not the loading voltage is being supplied to either of the microprocessors and prevent either of the microprocessors from being reset by the system monitoring means when the loading voltage is being supplied to either of the microprocessors.
When this is done, the same effect as above, that is, the effect that it is possible to simply detect whether or not either of the microprocessors is carrying out a loading process without providing a special process or circuit, can be obtained.
Also, using the blocking means for preventing the reset signal outputted from the system monitoring means from being inputted into either of the microprocessors, it is possible to prevent either of the two microprocessors from being reset while it is carrying out a loading process.
If the system monitoring means is made up of a counter which performs a counting operation at intervals of a fixed period and has its count value initialized by the monitor signal outputted from the first microprocessor and reset signal outputting means for outputting the reset signal to both of the microprocessors when the count value of the counter reaches a predetermined value and the first microprocessor as it executes the first control program in its own nonvolatile memory outputs the monitor signal to the counter at intervals of a period shorter than the time taken for the count value of the counter to reach said predetermined value after being initialized, the blocking means can prevent either of the computers from being reset by forcibly stopping the counting operation of the counter.
That is, the system monitoring means is a so-called watchdog timer circuit, and the reset signal to the two microprocessors being outputted is prohibited by the counting operation of a watchdog timing counter of the watchdog timer circuit being stopped. With this electronic control unit, the two microprocessors being reset can be prevented with certainty by means of a simple construction.
It is also an object of the present invention to provide an electronic control unit with which it is possible with a simple construction and certainly to reload a control program and control data inside each of multiple microprocessors.
An electronic control unit according to this aspect of the present invention provided to achieve the above-mentioned object and other objects has multiple microprocessors each having a nonvolatile memory electrically reloadable with data and is constructed so that all of the microprocessors commonly use the same single communication line to conduct communication with the outside.
During normal operation each of the microprocessors executes a control program for controlling a predetermined object of control according to a control program and control data made up of data stored in the nonvolatile memory, whereby the control operation of the electronic control unit is carried out.
Also, each of the microprocessors, when a predetermined reloading condition is established, conducts a loading process for receiving load data transmitted thereto from external circuitry and loading it into its nonvolatile memory as an update. Thus, by the loading condition being established for one of the microprocessors at a time and load data constituting a new control program and control data being transmitted to the electronic control unit from external circuitry, the data inside the nonvolatile memory of each of the microprocessors can be reloaded one microprocessor at a time.
Here, the electronic control unit according to this aspect of the invention is provided with communication operation controlling means, and this communication operation controlling means, when any one of the microprocessors is executing the loading process, prohibits the other microprocessors from transmitting data to the communication line.
Consequently, when any one of the microprocessors is executing a loading process for reloading data, the other microprocessors are prohibited from transmitting data to the communication line, and as a result data received by the microprocessor that is the object of reloading being destroyed by data transmitted by another microprocessor is certainly prevented.
Therefore, with this electronic control unit, notwithstanding that all the microprocessors are using the same single communication line, the control program and control data stored in the nonvolatile memory of each of the microprocessors can be reloaded with certainty. Furthermore, because all the microprocessors use the same communication line, the control program and control data of each of the microprocessors can be reloaded without extra hardware for data communication such as communication circuits being provided.
The function of the above-mentioned communication operation controlling means can be realized by determining means provided in each of the microprocessors for determining whether or not another microprocessor is executing the loading process and transmission prohibiting means provided in each of the microprocessors together with the determining means for prohibiting data transmission from its microprocessor to the communication line when the determining means makes an affirmative determination.
That is, with the determining means each microprocessor determines whether or not another microprocessor is executing a loading process and when this determination is affirmative (in other words, when it is determined that another microprocessor is executing a loading process) prohibits its own data transmission to the communication line with the transmission prohibiting means and therefore when any one microprocessor is executing a loading process, the other microprocessors are prohibited from transmitting data to the communication line.
Because the function of the determining means and the transmission prohibiting means (and hence the function of the communication operation controlling means) can be realized by execution of a program in a microprocessor (so-called soft processing), the effects of the invention can be obtained without providing any special hardware.
Here, if each of the microprocessors includes identification information storing means for storing identification information concerning the microprocessor and when identification information transmitted from external circuitry matches the identification information stored in the identification information storing means, deems that the reloading condition has been established and executes the loading process, the determining means provided in each of the microprocessors need only compare the identification information transmitted from outside with the identification information stored in the identification information storing means, and when the two do not match, determine that another microprocessor is executing the loading process.
Because it is possible to specify the microprocessor that is the object of data reloading (the microprocessor to execute a loading process) by transmitting identification information into the electronic control unit from outside through the communication line and reload the control program and control data stored in the nonvolatile memory of that microprocessor with certainty, even if the number of microprocessors used in the electronic control unit increases it is possible to handle them easily without adding special circuits.
As the identification information storing means, the reloadable nonvolatile memory may be used or another nonvolatile memory inside the microprocessor may be used. Instead of the identification information being stored in the form of data, identification information may be assigned to each of the microprocessors by a predetermined input port of the microprocessor being pulled high or pulled low. In this case, since the input port is equivalent to identification information storing means, the determining means can ascertain its own respective identification code by reading the input level of that input port.
If the nonvolatile memory is reloadable with data when a predetermined loading voltage is impressed and each of the microprocessors deems that the reloading condition has been established and executes the loading process when the loading voltage is supplied to it and the electronic control unit further includes voltage supplying means for supplying the loading voltage to one of the microprocessors at a time, the determining means provided in each of the microprocessors need only monitor whether or not the loading voltage is being supplied to another microprocessor and when the loading voltage is being supplied to another microprocessor, determine that another microprocessor is executing the loading process.
By a loading voltage being supplied to any one of the microprocessors by the voltage supplying means, a control program and control data stored in the nonvolatile memory of any of the microprocessors can be reloaded, and because it is not necessary to prestore identification information in the microprocessors, the manufacturability of the unit can be increased.
That is, when the microprocessors used in the electronic control unit all have the same specifications, it is sufficient to install them in the unit without particularly distinguishing them from each other and then newly load data (a control program and control data) into the nonvolatile memory of each of the microprocessors after that, and therefore in the manufacture of the electronic control unit it is possible to cut out a management process for distinguishing the respective microprocessors.
As the voltage supplying means, a power supply circuit disposed inside the electronic control unit and outputting a loading voltage to any of the microprocessors according to an external command can be used. It is also possible to employ a construction wherein multiple power supply lines extending from loading voltage input terminals of the microprocessors outside the electronic control unit are provided as the voltage supplying means and the loading voltage is selectively supplied from outside exclusively to any one of these power supply lines.
When a construction is employed wherein the voltage supplying means outputs a loading voltage to any microprocessor according to an external command, a still greater effect can be obtained.
In this electronic control unit, the voltage supplying means is constructed so that when a power supply to the electronic control unit is switched on while the voltage supplying means is receiving from outside any one of multiple loading permission signals set in respective correspondence with the microprocessors, the voltage supplying means starts supplying the loading voltage to the microprocessor corresponding to that loading permission signal and when the voltage supplying means stops receiving the loading permission signal or the power supply to the electronic control unit is switched off, the voltage supplying means stops supplying the loading voltage.
With this construction, by switching on the power supply to the electronic control unit while applying a loading permission signal corresponding to the microprocessor that is the object of reloading, it is possible to supply a loading voltage to that microprocessor and thereby make it execute the loading process, and thus it is possible to reload the control program and control data stored in the nonvolatile memory of any of the microprocessors, while reversely, when the power supply to the electronic control unit has already been switched on, even if the above-mentioned loading permission signal is incorrectly applied as a result of an influence such as noise, the voltage supplying means does not supply a loading voltage to any of the microprocessors. Thus, it is possible to certainly prevent the content loaded in the nonvolatile memory of any of the microprocessors from being reloaded at an inappropriate time.
Each of the microprocessors may have a switching device capable of making or breaking an electrical path between the inside of that microprocessor and the communication line, and the transmission prohibiting means provided in each of the microprocessors may prohibit the transmission of data from its microprocessor to the communication line by causing the switching device to break the electrical path.
When any one of the microprocessors is executing a loading process, the other microprocessors can be certainly prohibited from transmitting data to the communication line.
Also, the transmission prohibiting means provided in each of the microprocessors may prohibit the transmission of data from its microprocessor to the communication line by prohibiting the execution by its microprocessor of a program for transmission processing provided for conducting data transmission.
When any one of the microprocessors is executing a loading process, the other microprocessors can be easily prohibited from transmitting data to the communication line.
Besides being realized by determining means and transmission prohibiting means provided in each of the microprocessors, the function of the communication operation controlling means can also be realized wherein the nonvolatile memory is reloadable with data when a predetermined loading voltage is impressed and each of the microprocessors deems that the reloading condition has been established and executes the loading process when the loading voltage is supplied to it and the electronic control unit further includes voltage supplying means for supplying the loading voltage to one of the microprocessors at a time. Also, the communication operation controlling means may consist of a connection switching circuit for specifying a microprocessor to which the loading voltage is being supplied by the voltage supplying means and connecting only the specified microprocessor to the communication line.
That is, in this eighth electronic control unit, instead of providing determining means and transmission prohibiting means in each of the microprocessors, a connection switching circuit for connecting only a microprocessor supplied with a loading voltage to the communication line and executing a loading process for reloading data is provided separately from the microprocessors.
With this construction, it is possible to certainly reload the control program and control data stored in any of the microprocessors without prestoring identification information inside the microprocessors, and in the manufacture of the electronic control unit it is possible to cut out a management process for distinguishing the respective microprocessors.
Also, it is possible to certainly prevent the content loaded in the nonvolatile memory of any of the microprocessors being reloaded at an inappropriate time.
Other objects and features of the present invention will appear in the course of the description thereof, which follows.