As vehicle control devices controlling such as engines of cars, ECUs (Electronic Control Units) equipping microcontrollers are used. Software equipped in a microcontroller is generally configured by such as an application program that describes control processes, as device driver that describes input/output processes, and an operating system (OS).
It is required for vehicle control devices to implement high safety because vehicle control devices perform control processes that are directly concerned with safety of the car occupant. As the control process becomes sophisticated and the size of the control process is increased, it has become a technical problem that huge amount of worker-hour is required to implement vehicle control devices with high safety. Instead of developing all components of the vehicle control device under a development process corresponding to high safety level, it is conceivable to develop portions of the software that require high safety under a development process corresponding to high safety level, and to develop other portions of the software under a normal development process. This achieves both high safety and suppressing worker-hour for development. Such a method is referred to as Decomposition of safety (Non Patent Literature 1).
In addition to the decomposition of safety in the development process, the implement cost of ECU may be optimized while keeping high safety level, if it is possible to implement multiple pieces of software with different safety levels on a same microcontroller so that the multiple pieces of software do not interfere with each other. Specifically, a technique that prevents memory areas accessed by each of software from interfering with each other is referred to as memory protection.
A memory protection is usually achieved by dedicated hardware referred to as MPU (Memory Protection Unit) that monitors an address bus for accessing memory areas in the microcontroller. A microcontroller that performs memory protection using MPU includes different operational modes. Each of the operational modes corresponds to each of the safety levels. Typically, a microcontroller that protects the memory using MPU includes a user mode and a privilege mode. The user mode corresponds to low safety software (the required safety level is low). The privilege mode corresponds to high safety software (the required safety level is high).
When switching the operational mode, an authority configuration register that stores the current operational mode is rewritten. When switching from the user mode into the privilege mode, the low safety software operating in the user mode is typically prohibited to rewrite the authority configuration register. This configuration is intended so that unexpected operations do not propagate into high safety software due to malfunctions of low safety software operating in the user mode. Therefore, when switching from the user mode into the privilege mode, a predetermined interruption process is generated through an interruption controller, thereby switching into the privilege mode.
Patent Literature 1 listed below describes a configuration example where a safety-related application and a safety-nonrelated application are implemented on a same hardware and where each of the applications is executed while switching the user mode and the privilege mode.