The present invention relates to a malfunction preventing system for a microcomputer system, and more particularly to a microcomputer system capable of returning to normal operation upon detecting a malfunction in a program operation, for example, for calculation of fuel parameters for an automotive engine control.
When performing an automatic control with a computer, under normal conditions, the microcomputer sequentially executes a program. Accordingly, if the program execution is prevented by noise for example, normal control cannot be performed.
In analogue control devices, if malfunctions occur due to a low signal to noise ratio, the devices return to normal control when the ratio increases. On the contrary, in a microcomputer controller, once the program execution is destroyed because of a low signal to noise ratio, control does return to the normal condition even if the hardware is operating and connected in a normal manner and the signal to noise ratio increases, for reasons described infra in more detail. Even if steps are taken substantially to eliminate noise, a malfunction in the microcomputer system makes it impossible to perform normal control thereafter. Particularly, in the case of an automotive engine which includes an ignition system having a high voltage generating apparatus, it is likely that malfunctions due to noise will occur. Since automobiles are normally used by persons who are not technical experts it is preferable to take sufficient steps to protect the microcomputer system so that the vehicle is never rendered uncontrollable because of a malfunction.
In a microcomputer, an initialization is carried out prior to the start of operation. In general, the initialization is classified into "first initialization" and "second initialization". The former refers to hardware initialization of the central processor unit (CPU) after power is supplied, but before program execution. The latter refers to software initialization which occurs prior to the operation of a specified program and specifies the use of input-output I/O ports adapted to this specified program, sets initial values, and so forth.
The above first initialization (which is denoted soley by "initialization" hereinafter) is carried out by holding a reset signal to the a level for a predetermined time interval (e.g. 8 .mu.s). The program operation starts from the time that the reset signal goes high.
For instance, referring to FIG. 1, A and B are, respectively, waveforms showing the changing values of power supply voltage and reset signal. At time T.sub.1, power is supplied to the microcomputer system. Then, at time T.sub.2, the reset signal rises and the program operation starts from this time. The time interval .tau..sub.1 from T.sub.1 to T.sub.2 is the time required for initializing. Even in the course of program operation, if the reset signal is low, the operation is stopped and reinitialization is carried out, so that the program is executed again from the beginning.
Accordingly, in the event that the reset signal instantaneously goes low, the initialization starts. However, since the reset signal goes high before the time .tau..sub.1 required for initializing has elapsed, it is impossible to start the normal operation.
As shown in FIG. 2, a program is stored in a read only memory (ROM) 200 so that each step of the program comprises an instruction (op code) and data (operand). The control processing unit (CPU) 100 specifies an address stored in the ROM 200 to an address bus 300. CPU 100 responds to the instruction read from the specified address of ROM 200 via a data bus 400 and executes it.
Accordingly, if only a one bit error occurs in address bus 300 or certain fits of data bus 400 because of noise interference, the program execution becomes erroneous; such errors are, for example, executing data as instructions, or reading data from the wrong address.