The onboard electronic control unit (hereinafter referred to as “ECU”) mounted in a vehicle includes a microcomputer having a memory in which diverse programs are stored, and a CPU. The onboard electronic control unit controls the respective parts of a vehicle with the execution of the diverse programs by the CPU. The memory is generally formed of a nonvolatile memory such as a flash memory or an EEPROM so as to allow the rewriting of the programs (hereinafter referred to as “reprogramming”). The reprogramming of the memory is generally performed in such a manner that the CPU executes a reprogramming program (hereinafter referred to as “reprogramming software”). The reprogramming program is stored as one of the diverse programs (for example, refer to PTL 1).
In reprogramming the memory, the reprogramming may fail due to diverse factors such as abnormal power-off of the ECU or an abnormal programming process. Assuming a failure of such reprogramming, PTL 1 discloses the following technique. The reprogramming software is configured to set an identification ID indicating that reprogramming is being executed during reprogramming, and if reprogramming has been normally completed, set an identification ID indicating this fact. The CPU first checks the identification ID at startup, and if the identification ID indicating that reprogramming has been normally completed is set, the CPU shifts to the execution of a normal control program (hereinafter referred to as “ECU software”). If the identification ID indicating that reprogramming is being executed remains set, the CPU again starts the reprogramming software, and waits for another reprogramming operation.
In more detail, the above technique can be realized by the following configuration. A storage area for the identification ID other than that for the reprogramming software is disposed in the memory, and a startup determination processing program is stored in the memory, and an address of the startup determination processing program is set in a reset vector. After reset, the CPU first acquires the address set in the reset vector, and executes the program (that is, startup determination processing program) of that address. The startup determination processing determines whether the identification ID indicates that reprogramming is being executed, or that reprogramming has been completed. The startup determination processing starts up normal ECU software when the identification ID indicates that reprogramming has been completed, and starts up the reprogramming software when the identification ID indicates that reprogramming is being executed.
With the above technique, even if reprogramming fails and the program in the memory becomes in an abnormal state, the startup determination processing executed in subsequent resetting determines whether the reprogramming has been successfully performed or not. If reprogramming is not normally completed, the CPU can again transition to the reprogramming waiting.
The abnormal program in the memory may occur due to diverse factors such as data corruption caused by noise or hardware failure in addition to the above-mentioned case in which the abnormal program occurs due to the failure of reprogramming. Even if reprogramming is normally completed, the program in the memory may be in the abnormal state due to a subsequent use state of the ECU or environment (particularly, electromagnetic environment).
Under the circumstance, a microcomputer of a typical ECU is configured to perform memory check (for example, ROM checksum) using software immediately after startup (after confirming the normal completion of reprogramming), and to perform the memory check periodically during the execution of the ECU software, and to perform reset of the microcomputer if it is determined that the memory is abnormal. In other words, the microcomputer is configured so as to appropriately cope with the abnormal program occurring during normal use in addition to the handling of a failure to reprogram.