JP2018063527A - Electronic control apparatus - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an electronic control apparatus capable of continuing ordinary control without shifting to fail-safe processing even if an abnormality occurs in a memory.SOLUTION: An SDA 17 holds data with a higher access speed and higher importance than other areas, while an SDA specifying register 16 stores a specific address for accessing the SDA 17 by relative address designation. A CPU 7 determines whether or not an abnormality has occurred in the SDA 17. When the CPU determines that an abnormality has occurred, it rewrites the SDA specific address of the SDA specifying register 16 (S1-S3, S10).SELECTED DRAWING: Figure 2

Description

  The present invention relates to an electronic control device.

  Generally, the system includes means for recovering from this abnormal state in order to continue control even if an abnormality is detected. As this type of system, for example, there is a system that employs a mirror check technique in a RAM (for example, see Patent Document 1). According to the technique described in Patent Document 1, when storing data in a RAM, the same data is stored at a plurality of addresses, and the stored plurality of data is read again and compared to check whether they have the same contents. ing. Even if the data in the RAM is partially broken, it can be prevented from suddenly becoming uncontrollable by performing such processing.

  However, with this type of prior art, when the hardware malfunction occurs in the RAM, the data cannot be recovered, the system stops normal control, and shifts to fail-safe processing as necessary. The problem of end up.

JP 2006-293649 A

  An object of the present invention is to provide an electronic control device that can continue normal control without shifting to fail-safe processing even if an abnormality occurs in a memory.

  According to the first aspect of the present invention, the small data area (hereinafter referred to as SDA) holds data having a higher access speed and higher importance than other areas, but the specific address storage unit stores the data in this SDA. A specific address for access by relative addressing is stored. The determination unit determines whether or not an abnormality has occurred in the SDA. When it is determined that an abnormality has occurred, the rewriting unit rewrites the SDA specific address in the specific address storage unit. Thereby, even if an abnormality occurs in the SDA, the SDA can be dynamically moved by the rewriting unit rewriting the SDA specific address. As a result, highly important data can be moved to the SDA in another memory space, and normal control can be continued without the system shifting to fail-safe processing even if an abnormality occurs in the memory.

Electrical configuration diagram of electronic control unit in one embodiment Flow chart schematically showing the process Explanatory diagram schematically showing the relationship between the memory space and the specific address (part 1) Explanatory drawing which shows roughly the relationship between memory space and a specific address (the 2) Explanatory diagram schematically showing the relationship between the memory space and the specific address (Part 3) Explanatory diagram schematically showing the relationship between the memory space and the specific address (Part 4) Explanatory diagram schematically showing the relationship between the memory space and the specific address (Part 5) Explanatory diagram schematically showing the relationship between the memory space and the specific address (No. 6) Explanatory diagram schematically showing the relationship between the memory space and the specific address (Part 7) Explanatory diagram schematically showing the relationship between the memory space and the specific address (No. 8)

Hereinafter, an embodiment of an electronic control device will be described with reference to the drawings. FIG. 1 schematically shows an electrical configuration of an electronic control unit (ECU) 1 by a block diagram. As shown in FIG. 1, the electronic control device 1 is mainly composed of a microcomputer (hereinafter abbreviated as “microcomputer”) 2, and includes a sensor signal input unit 3 and an actuator driving unit 4. Various sensors 5 are connected to the sensor signal input unit 3 outside the electronic control unit 1, and the sensor signal input unit 3 inputs sensor signals output from the sensor 5. The sensor 5 is a sensor for detecting various vehicle-related information such as an accelerator sensor, a knock sensor, and an oxygen (O ₂ ) sensor. The actuator driving unit 4 drives an actuator 6 connected to the outside of the electronic control device 1. The actuator 6 is a vehicle load such as an electronic throttle, for example, and examples thereof include various vehicle-related actuators such as a motor for opening and closing a throttle valve.

  The microcomputer 2 includes a CPU 7, a memory 8, an input interface 9, and an output interface 10. The memory 8 includes a nonvolatile memory 13 such as a ROM 11, a RAM 12, and a flash memory. The ROM 11 stores an operation program, and the CPU 7 executes the operation program stored in the ROM 11 to determine a determination unit, a rewrite unit, a normal control continuation unit, an abnormal area storage control unit, a count unit, a fail safe. A function as a command unit is realized. These operation programs may be stored in a non-transitional tangible recording medium. The CPU 7 includes a register 14 that can read and write data at high speed.

  The RAM 12 stores various data by transferring data from the nonvolatile memory 13 after an ignition switch (not shown) is turned on and a battery voltage for operation is energized. The memory space of the RAM 12 is divided into a small data area (hereinafter referred to as SDA) 17, a non-SDA 18, and a free area 19.

  The non-SDA 18 is an area such as a work area in which various constants or variables are stored while the CPU 7 executes a program stored in the ROM 11 and performs data processing. Normally, when the CPU 7 accesses the non-SDA 18 by executing a program, it is accessed by specifying an absolute address. In general, the SDA 17 is reserved for the memory area of a predetermined unit area such as 1k, 4k, 8k, 16k, 32k, and 64k. The data stored in the SDA 17 is, for example, data set with higher importance compared to the data stored in the non-SDA 18, for example, learning values of various sensors such as an accelerator sensor, a knock sensor and an oxygen concentration sensor, an electronic throttle Actuator learning values such as motor control values. The SDA 17 stores mirror data for each of the highly important data in the mirror area. For simplification of explanation, the mirror area for storing the mirror data is not shown.

  The CPU 7 includes a register 14 for holding various data. The register 14 includes an SDA specific register 16 as a specific address storage unit in addition to the general-purpose register 15. The SDA specification register 16 is provided for designating a specific address (for example, a central address indicating the center of the SDA area) inside the SDA 17 of the RAM 12.

  When the CPU 7 accesses the internal memory area of the SDA 17, the specific address stored in the SDA specific register 16 is read, and the internal address of the SDA 17 is designated relative to this specific address. When the CPU 7 accesses an address in the SDA 17 in accordance with this process, the access is performed by relative address designation, and therefore the number of steps can be reduced compared to the above-described absolute address designation process. Also, it is a memory area that can increase the access speed.

  Further, the CPU 7 inputs the sensor signal from the sensor signal input unit 3 through the input interface 9 and stores the sensor signal in the general-purpose register 15 or the like. The CPU 7 calculates the data stored in the general-purpose register 15 or the like by the arithmetic unit 7a according to the program. , Output to the actuator drive unit 4 through the output interface 10, and the actuator drive unit 4 drives the actuator 6.

The significance and operational effects of the configuration described above will be described.
For example, when the ECU 1 acquires a sensor signal from the vehicle sensor 5 and normally controls the actuator 6, it is assumed that various emergency situations occur. When an emergency occurs, the ECU 1 performs fail-safe processing so that the operation of the vehicle can be stopped safely, for example. When the ECU 1 shifts to the fail-safe process, the ECU 1 stops the driving process of the actuator 6 based on the sensor signal of the sensor 5, for example.

  At this time, for example, when the driver depresses the accelerator, even if the accelerator sensor or the like serving as the sensor 5 detects a change in the sensor information, the throttle valve is stopped by stopping the driving of the motor of the electronic throttle serving as the actuator 6, for example. In this case, the repair may require repair or inspection by a dealer or the like.

  On the other hand, when the RAM 12 causes a hardware abnormality, it is rare that the entire memory space of the RAM 12 is damaged, and it is almost impossible to read / write normal data by damaging a part of the storage area. is there. Therefore, even if an abnormality in the RAM 12 occurs in a part of the storage area and data cannot be read / written normally, if this data can be recovered, the data is rewritten to another storage area such as the free area 19. Thus, normal operation can be continued without shifting to fail-safe processing.

  In particular, since the data held in the SDA 17 is data set with higher importance compared to the data held in the non-SDA 18, for example, the normal control can be continued while maintaining the accuracy of the data. It is desirable. Assuming such a situation, it is desirable for the CPU 7 to perform processing as shown in FIG.

  FIG. 2 schematically shows processing performed at the time of abnormality. First, as shown in FIG. 2, the CPU 7 refers to the SDA specific register in S <b> 1 to S <b> 3 and determines whether there is an abnormality in the area of the SDA 17 including the SDA specific address.

  As the abnormality detection method in steps S1 to S3, a method such as a read / write (R / W) check can be used. For example, when the CPU 7 determines whether or not there is an abnormality by the read / write check, the value of the area RAM_A assigned as SDA 17 in S1 is transferred to the general-purpose register 15, and a predetermined value is written in the area RAM_A in S2 and the written value It is determined whether or not the result of reading out matches a predetermined value. As a result of performing the read / write check, the CPU 7 can determine whether or not the area RAM_A is normal in S3. Further, although not shown in S1 to S3 in FIG. 2, a mirror check may be performed using mirror data provided in advance in the mirror area of the RAM 12 to determine whether there is an abnormality.

  When the CPU 7 determines that there is no abnormality as a result of performing the processes of S1 to S3, the CPU 7 continues the normal control in S4. Further, when the CPU 7 determines that there is an abnormality as a result of performing the processing of S1 to S3, it determines NO in S3, and in S5, the internal address of the SDA 17 that has caused an abnormality in the read / write check of the RAM 12 is, for example, a non-SDA 18 Store in the work area. The CPU 7 may store the internal address of the SDA 17 in which this abnormality has occurred in the nonvolatile memory 13. Further, the CPU 7 counts by incrementing the number of abnormalities of the SDA 17 in S6. The value to be counted is not limited to the increment value 1. Then, the CPU 7 determines whether or not the number of times that the abnormality has occurred in S7 is a predetermined number or less. The predetermined number is a number determined according to the storage capacity of the empty area 19 of the RAM 12.

  If the CPU 7 determines that the number of abnormalities exceeds the predetermined number in S7, the CPU 7 determines NO in S7 and issues an instruction to execute fail-safe processing in S8. When the CPU 7 issues an instruction to execute fail-safe processing, the ECU 1 stops driving, for example, the actuator 6 by the actuator driving unit 4. In this case, the ECU 1 cannot control the drive of the actuator 6 according to the driver's request (for example, the degree of depression of the accelerator) acquired through the sensor 5. For example, when the actuator 6 is an electronic throttle motor, the actuator driving unit 4 drives the motor so that the opening degree of the valve is a predetermined opening degree. When the process shifts to fail-safe processing, the CPU 7 prompts early replacement and repair by, for example, notifying an external user of this fact.

  On the other hand, if the CPU 7 determines that the number of abnormalities is less than or equal to the predetermined number in S7, there is a possibility that the SDA 17 can be secured in another current SDA 17 and / or an area including the empty area 19. Then, the following steps S9 to S15 are executed. The CPU 7 determines whether or not a new SDA 17 can be secured in S9. At this time, the new search area of the SDA 17 indicates an area including the empty area 19 of the unused RAM 12 and the normal determination area of the SDA 17 in use.

  If the CPU 7 determines that the SDA 17 can be newly secured in S9, the designated address range of the SDA 17 is dynamically moved by rewriting the SDA specific register in S10. In S11, the CPU 7 acquires and updates the mirror data of the data in the area RAM_A temporarily stored in the general-purpose register 15, and transfers the data of the SDA 17 in use and including this data to the newly secured SDA 17. . After the CPU 7 stores the data of the SDA 17 being used in the newly secured SDA 17 in S11, the CPU 7 proceeds to S4 and continues the normal control. As a result, even when an abnormality in the RAM 12 that cannot be restored to normal by the conventional technology is detected, the SDA 17 can be dynamically relocated, and normal control can be continued without shifting to fail-safe processing. .

  If the CPU 7 determines that a new SDA 17 cannot be secured in S9, the CPU 7 reconfirms the abnormal state of the area of the RAM 12 that was previously determined to be abnormal in S12. This process is performed in consideration of the possibility that an error has occurred in the previous abnormality determination process (S1 to S3) due to some influence, and the CPU 7 reconfirms whether the SDA 17 can be secured in the RAM 12.

  When the CPU 7 determines that there is a normal location in the area that has been determined to be abnormal in S13, the CPU 7 updates the abnormal area of the RAM 12 in S14. When the CPU 7 confirms the existence of the necessary area of the SDA 17 in the area of the RAM 12 in S15, the CPU 7 proceeds to S10 and rewrites the SDA specific address. Then, the CPU 7 acquires and updates the mirror data of the data temporarily stored in the general-purpose register 15 in S11, and transfers the data of the SDA 17 in use including this data to the newly secured SDA 17. The CPU 7 continues normal control in S4. If the CPU 7 determines in S15 that the SDA required area cannot be secured, the CPU 7 issues an instruction to execute fail-safe processing in S8.

Specific examples will be described below with reference to FIGS.
<Specific Example 1: FIGS. 3 to 5>
For example, as shown in FIG. 3, first, the CPU 7 sets the SDA specific address to 0x4008000 and performs a read / write (R / W) check in S1 to S3 in FIG. 2, and as a result, determines that the area RAM_A is normal. However, it is determined that there is an abnormality in the area RAM_B.

  At this time, as shown in FIG. 4, the CPU 7 saves and updates the mirror data of the value stored in the area RAM_B in the general-purpose register 15. Then, as shown in FIG. 5, the CPU 7 rewrites the SDA specific address to 0x40008400, for example, and includes the updated data of the area RAM_B saved in the general-purpose register 15 and the inside of the old SDA 17a including the area RAM_A. Write all data to the new SDA 17b. Thus, by dynamically moving the SDA 17, the data in the areas RAM_A, RAM_B... Can be rearranged, and normal control can be continued.

<Specific example 2: FIG. 6>
For example, after the first specific example, as shown in FIG. 6, when an abnormality is found in the area RAM_C even in the second new SDA, the CPU 7 saves the mirror data of the data in the area RAM_C in the general-purpose register 15. And update. Then, for example, the CPU 7 rewrites the SDA specific address to 0x40008800, includes the updated data in the area RAM_C, and writes all the data in the first SDA 17a including the areas RAM_A, RAM_B,... Into the new third SDA 17c. . Accordingly, the areas RAM_A, RAM_B, RAM_C,... Can be rearranged by dynamically moving the internal data of the second SDA 17b, and normal control can be continued.

<Specific Example 3: FIGS. 7 to 8>
For example, after specific example 2, as shown in FIG. 7, when an abnormality is found in the area RAM_D even in the new third SDA 17c, the CPU 7 saves the mirror data of the data in this area RAM_D in the general-purpose register 15. And update. Then, the CPU 7 confirms whether a new SDA 17 can be secured in the free area so as not to include the address of the area where no abnormality has occurred. The CPU 7 sets, as a new fourth SDA 17d, an area including an area determined to be normal in the SDA 17 (for example, 17c) when the address cannot be secured only by the continuous empty area 19 or the like. To do.

  In this specific example 3, the CPU 7 determines that the SDA 17d cannot be secured only by the free area 19 as the specific process of step S9 in FIG. 2, and determines a normal determination area, that is, an area including a part of the current SDA 17c. Although an example in which the new SDA 17d is set is shown, the area where the new SDA 17 can be secured may be an area that is normally determined. For example, in FIG. 8, the normal determination in the SDAs 17a, 17b, and 17c. An area may be used. That is, among the SDA 17, a new SDA 17 area may be secured by combining the normal determination area that has been normally determined in the past or the past and the empty area 19.

  Then, the CPU 7 writes all the data in the third SDA 17c including the areas RAM_A, RAM_B, RAM_C,... Including the updated data of the area RAM_D updated by the general-purpose register 15 to the new fourth SDA 17d. At this time, for example, if the SDA 17d can be secured in an address space having a larger address value than the SDA 17c, the CPU 7 increases the internal address of the fourth SDA 17d from the maximum address to the minimum address in the third SDA 17c. All the internal data in the third SDA 17c can be transferred to the fourth SDA 17d by sequentially transferring from the largest address to the smallest address. If the SDA 17d can be secured in an address space having a smaller address value compared to the SDA 17c, the CPU 7 performs the maximum from the internal address of the fourth SDA 17d to the maximum address from the internal address of the third SDA 17c to the maximum address. By sequentially transferring toward the address, all the internal data of the third SDA 17c can be transferred to the fourth SDA 17d. Thereby, the data in the areas RAM_A, RAM_B, RAM_C, RAM_D... Can be rearranged by dynamically moving the internal data of the SDA 17c, and normal control can be continued. In this case, not only the empty area 19 but also the area including the normal determination areas of the SDAs 17a, 17b, and 17c used in the present or the past can be reused.

<Specific Example 4: FIGS. 9 to 10>
For example, after the third specific example, as shown in FIG. 9, when an abnormality is found in the area RAM_E even in the new fourth SDA 17d, the CPU 7 uses the general register 15 Save to and update. Then, the CPU 7 confirms whether or not a new fifth SDA 17e can be secured so as not to include an address where no abnormality has occurred, but all the free areas 19 and the areas including the areas determined to be normal among the SDA 17 are included. In some cases, it may be determined that a new SDA 17 cannot be secured (NO in S9 of FIG. 2).

  In such a case, the CPU 7 reconfirms the abnormal state of the area that has been determined to be abnormal in S12 in FIG. At this time, the CPU 7 refers to the address value of the area determined to be abnormal stored in the work area or the nonvolatile memory 13 and determines whether or not the area indicated by the address can be normally stored. It is desirable that the determination method of normality is performed by a read / write check.

  As shown in FIG. 9, when it is determined that the area RAM_C is abnormal before, but when it is determined that the area RAM_C is normal as a result of checking again, the area RAM_C is determined to be a normal location, and in S14 of FIG. Is updated, and it is determined whether or not a new SDA 17e can be secured in S15 of FIG.

  When the CPU 7 confirms that a new SDA 17e can be secured, the SDA specific address is rewritten to 0x40008700 in S10 of FIG. 2, thereby renewing the area including the area RAM_C as shown in FIG. It can be set as the fifth SDA 17e.

<Specific Example 5>
In S7 of FIG. 2, when the predetermined number of abnormality thresholds to be determined is set to 1 time, the CPU 7 once sets the number of abnormalities of the SDA 17 at the timing when the area RAM_B is determined to be abnormal as shown in FIG. Then, as shown in FIG. 6, when an abnormality occurs in the area RAM_C for the second time, the number of abnormalities in the SDA 17 is counted as two. In this case, even if the vacant area 19 that can secure the new SDA 17c remains in the RAM 12, the CPU 7 proceeds to S8 in FIG. For simplicity of explanation, the predetermined number of times has been described as one. However, for example, when the memory 8 has deteriorated over time and the abnormality frequency increases in a short time, the number of abnormality increases greatly in the short time. It is assumed that In such a case, it is preferable to control so as to shift to the fail-safe process before leading to a serious failure. In addition, it is possible to prompt early replacement and repair by notifying an external user of the transition to fail-safe processing.

Various specific examples other than such specific examples 1 to 5 can be considered, but the description thereof will be omitted.
The features of the present embodiment are conceptually summarized.
The CPU 7 determines whether or not an abnormality has occurred in the area of the SDA 17, and when it is determined that an abnormality has occurred, the CPU 7 rewrites the SDA specific address of the SDA specific register 16. Thereby, even if an abnormality occurs in the SDA 17, the CPU 7 can dynamically move the SDA 17 by rewriting the SDA specific address. As a result, highly important data can be moved to another memory space, and even if an abnormality occurs in a certain area of the RAM 12, normal control can be continued without shifting to fail-safe processing.

  The CPU 7 continues the normal control process that is processed at the normal time without executing the fail-safe process that is processed at the time of abnormality on condition that the SDA specific address is rewritten. For this reason, normal control can be continued even if some abnormality occurs in the area of the RAM 12.

  When the CPU 7 determines that an abnormality has occurred in the SDAs 17 a to 17 d, the CPU 7 stores and controls the area where the abnormality has occurred in the work memory inside the non-SDA 18 of the RAM 12 or the nonvolatile memory 13. For this reason, it becomes possible to secure a new SDA 17 while avoiding a region where an abnormality has occurred.

  When it is determined that an abnormality has occurred in the SDA 17, 17a to 17d, the CPU 7 counts the number of times of abnormality, and instructs to move to fail-safe processing on condition that the number of times of abnormality exceeds a predetermined number. When the abnormality frequency of the memory 8 increases due to aging or the like, the process shifts to fail-safe processing. For this reason, it can be communicated to an external user that it has shifted to the fail-safe process, and early replacement and repair can be promoted before a serious accident occurs.

  For example, when it is determined that an abnormality has occurred in the SDA 17a, the CPU 7 rewrites the SDA specific register into the free area 19 on the condition that a necessary area for the new SDA 17b can be continuously secured in the free area 19. A new SDA is secured. For this reason, as long as the empty area 19 exists, the SDA 17 can be moved dynamically any number of times.

  For example, when it is determined that an abnormality has occurred in the SDA 17c, the CPU 7 continuously secures an area for a necessary area of the new SDA 17d in an area including the empty area 19 and the normal determination area of the current or past SDA 17b, 17c. On condition that it is possible, a new SDA 17d is secured in the area by rewriting the SDA specific address. As a result, the area including the normal determination area of the SDA 17c that is currently used can be reused instead of using only the empty area 19.

  The CPU 7 makes an abnormality determination in the past on condition that the necessary area of the new SDA 17e cannot be continuously secured in the empty area 19 and / or the area including the normal determination area of the current or past SDA. Re-check the abnormal state of the area RAM_C, and rewrite the SDA specific address to a new area on the condition that the re-confirmed area becomes normal and the necessary area for the new SDA 17e can be secured. A secure SDA 17e is secured. For this reason, as a result of reconfirmation, if the necessary area of the new SDA 17e including the area determined to be normal can be continuously secured, the new SDA 17e can be secured by rewriting the SDA specific address. . For this reason, the possibility that normal control can be continued can be increased.

  When the CPU 7 cannot secure an area for a new SDA (for example, 17e), an instruction to execute fail-safe processing is issued. For this reason, the abnormality of the memory 8 can be reliably detected and the fail-safe process can be performed.

(Other embodiments)
The present invention is not limited to the above-described embodiments, can be implemented with various modifications, and can be applied to various embodiments without departing from the gist thereof. For example, the following modifications or expansions are possible.

  For example, the techniques disclosed in Patent Document 1 can be combined and executed. According to the technique described in Patent Document 1, for example, an area RAM_W as a control data storage area, an area RAM_X as a control mirror data storage area, an area RAM_Y as a backup data storage area, and a backup mirror data storage area When there is a relationship that can be uniquely derived from each other in the area RAM_Z (for example, mirror data having the same value, the same data, or inverted data obtained by inverting bit data), The area RAM_W and RAM_X are read / write-checked, and the normal control is continued on the condition that the mirror check of the area RAM_W and RAM_X is performed and the mirror check is determined to be normal if it is determined that there is no abnormality. Even if there is an error in RAM_W, RAM_X, if there is no error in area RAM_Y, RAM_Z, perform a mirror check of area RAM_Y, RAM_Z, Error normal, if it area RAM_Y, area in RAM_Z RAM_W, to recover the RAM_X.

  That is, in addition to the mirror data shown in the previous embodiment, if the same data or inverted data obtained by inverting bit data is stored in other areas such as SDA 17 or non-SDA 18 as well, these data are stored. Can be used in place of the data saved in the general-purpose register 15, so that accurate data can be updated to a new SDA (for example, 17b).

  The CPU 7 shows a mode in which functions as a determination unit, a rewrite unit, a normal control continuation unit, an abnormal area storage control unit, a count unit, a fail safe command unit, and a reconfirmation unit are shown. It may be divided and cooperated with the apparatus.

  In the above-described embodiment, when an abnormality occurs in a certain area (for example, RAM_A) of the SDA 17, mirror data is saved and updated in the general-purpose register 15, but the value of the area (for example, RAM_B) in which the abnormality is confirmed. May be saved in the general-purpose register 15, and the saved value may be used as it is, or may be updated by error correction processing using an error correction technique such as ECC.

  Each processing shown in the flowchart of FIG. 2 may be performed by changing the processing order if practical, or the processing may be deleted or changed as much as possible. For example, after the CPU 7 secures the SDA 17c, when it is determined that an abnormality has occurred in the area RAM_D as shown in FIG. 7, it is determined that a new SDA 17d cannot be secured on condition that the free area 19 does not remain. Thus, the fail safe process may be commanded to be executed in S8.

  Further, for example, when it is determined that an abnormality has occurred in the area RAM_E as shown in FIG. 9 after the CPU 7 secures the SDA 17d, the reconfirmation process of normal parts shown in S12 to S15 in FIG. The fail safe process may be instructed to execute at

  You may comprise combining each element of embodiment mentioned above. Further, the reference numerals in parentheses described in the claims indicate the correspondence with the specific means described in the embodiment described above as one aspect of the present invention, and the technical scope of the present invention is It is not limited. An aspect in which a part of the above-described embodiment is omitted as long as the problem can be solved can be regarded as the embodiment. In addition, any conceivable aspect can be regarded as an embodiment as long as it does not depart from the essence of the invention specified by the words described in the claims.

  Although the present disclosure has been described based on the above-described embodiments, it is understood that the present disclosure is not limited to the embodiments and structures. The present disclosure includes various modifications and modifications within the equivalent range. In addition, various combinations and forms, as well as other combinations and forms including one element, more or less, are within the scope and spirit of the present disclosure.

  In the drawing, 1 is an electronic control unit, 7 is a CPU (determination unit, rewrite unit, normal control continuation unit, abnormal area storage control unit, count unit, failsafe command unit, reconfirmation unit), and 16 is an SDA specific register (specification). Address storage unit), 12 indicates a RAM, 17, 17a to 17e indicate SDA, and 19 indicates an empty area.

Claims (8)

A specific address storage unit (16) for storing a specific address for accessing a small data area (hereinafter abbreviated as SDA) having a higher access speed and higher importance than other areas by relative address designation;
A determination unit (S1 to S3) for determining whether or not an abnormality has occurred in the SDA;
A rewriting unit (S10) that secures a new SDA by rewriting the SDA specific address of the specific address storage unit when it is determined by the determination unit that an abnormality has occurred in the SDA;
An electronic control device comprising: The electronic control device according to claim 1,
Normal control continuation unit (S4) that continues normal control processing at normal time without commanding execution of fail-safe processing that is processed at the time of abnormality on condition that the SDA specific address is rewritten by the rewriting unit and a new SDA can be secured An electronic control device further comprising: The electronic control device according to claim 1 or 2,
When it is determined by the determination unit that an abnormality has occurred in the SDA (17, 17a to 17d),
An electronic control apparatus further comprising an abnormal area storage control unit (S5) for storing and controlling the area where the abnormality has occurred. The electronic control device according to any one of claims 1 to 3,
A count unit (S6) that counts the number of abnormalities when the determination unit determines that an abnormality has occurred in the SDA (17, 17a to 17d);
A fail-safe command section (S8) for commanding execution of fail-safe processing for processing at the time of abnormality on condition that the number of times of abnormality exceeds a predetermined number of times
An electronic control device comprising: The electronic control device according to any one of claims 1 to 4,
When it is determined by the determination unit that an abnormality has occurred in the SDA (17a),
The rewriting unit rewrites the SDA specific address (S10) by rewriting the SDA specific address on condition that the space for the necessary area of the new SDA (17b) can be continuously secured in the free area (19). Electronic control device that secures new SDA. The electronic control device according to any one of claims 1 to 4,
When it is determined by the determination unit that an abnormality has occurred in the SDA (17c),
The rewriting unit continuously allocates a necessary area of a new SDA (17d) to an area including a free area (19) and / or a normal determination area of a current or past SDA (17b, 17c). An electronic control unit that secures a new SDA (17d) in the area by rewriting the SDA specific address on the condition that it can be secured. The electronic control device according to any one of claims 1 to 4,
When it is determined by the determination unit that an abnormality has occurred in the SDA (17d),
In the past, an abnormal determination is made on the condition that the necessary area of the new SDA (17e) cannot be continuously secured in the empty area and / or the area including the normal determination area of the current or past SDA. A reconfirmation unit (S12) for reconfirming the abnormal state of the area (RAM_C),
The rewriting unit rewrites the SDA specific address on condition that the area reconfirmed by the reconfirming part becomes normal and it is possible to continuously secure an area for the necessary area of the new SDA. An electronic control unit that secures the new SDA in the area. In the electronic control unit according to any one of claims 5 to 7,
A fail-safe command unit (S8) for commanding execution of fail-safe processing to be performed when an abnormality occurs;
The fail-safe command unit is an electronic control device that commands execution of fail-safe processing that is performed when an abnormality occurs when an area corresponding to the necessary area of the new SDA cannot be secured.

Images