CN105760253A - Software implementation method for electronic throttle valve chip security monitoring - Google Patents

Software implementation method for electronic throttle valve chip security monitoring Download PDF

Info

Publication number
CN105760253A
CN105760253A CN201610024392.4A CN201610024392A CN105760253A CN 105760253 A CN105760253 A CN 105760253A CN 201610024392 A CN201610024392 A CN 201610024392A CN 105760253 A CN105760253 A CN 105760253A
Authority
CN
China
Prior art keywords
ram
monitoring
chip
electronic throttle
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610024392.4A
Other languages
Chinese (zh)
Other versions
CN105760253B (en
Inventor
张建民
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chery Automobile Co Ltd
Original Assignee
SAIC Chery Automobile Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SAIC Chery Automobile Co Ltd filed Critical SAIC Chery Automobile Co Ltd
Priority to CN201610024392.4A priority Critical patent/CN105760253B/en
Publication of CN105760253A publication Critical patent/CN105760253A/en
Application granted granted Critical
Publication of CN105760253B publication Critical patent/CN105760253B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1415Saving, restoring, recovering or retrying at system level
    • G06F11/1417Boot up procedures
    • FMECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
    • F02COMBUSTION ENGINES; HOT-GAS OR COMBUSTION-PRODUCT ENGINE PLANTS
    • F02DCONTROLLING COMBUSTION ENGINES
    • F02D41/00Electrical control of supply of combustible mixture or its constituents
    • F02D41/22Safety or indicating devices for abnormal conditions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
    • G06F11/2247Verification or detection of system hardware configuration
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
    • G06F11/2273Test methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
    • G06F11/2284Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing by power-on test, e.g. power-on self test [POST]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02TCLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO TRANSPORTATION
    • Y02T10/00Road transport of goods or passengers
    • Y02T10/10Internal combustion engine [ICE] based vehicles
    • Y02T10/40Engine management systems

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Chemical & Material Sciences (AREA)
  • Combustion & Propulsion (AREA)
  • Mechanical Engineering (AREA)
  • Combined Controls Of Internal Combustion Engines (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention relates to a software implementation method for electronic throttle valve chip security monitoring.The method comprises the following steps of cut-off path testing during power-off, whole RAM detection during power-on, RAM periodic detection during normal operation of a system, eTPU code area (SCM) detection during power-on, eTPU data area (SDM) detection during power-on, periodic eTPU time monitoring, question and answer communication monitoring, periodic instruction set testing, periodic program flow detection and periodic AD conversion detection.According to the software implementation method, the requirement for electronic throttle security monitoring is fully met; due to the mutual monitoring mechanism of a master chip and a monitoring chip, the security performance of an automobile engine controller is improved, and the system transportability is high.

Description

A kind of software implementation method of electronic throttle chip secure monitoring
Technical field
The invention belongs to field of automobile electronic control, be specifically related to the software implementation method of a kind of electronic throttle chip secure monitoring.Background technology
Using electronic throttle system, air throttle is all driven by a motor in whole open range, and engine can regulate the position of valve independent of throttle position.When signal error, software error or hardware error occur, danger is caused in order to prevent electronic throttle out of control, security legislation requires that electronic throttle system should have a set of independent monitoring unit for detecting the operation of main control chip, when monitoring system finds monitoring project failure, oil spout, ETC air inlet module can be closed and record the fault of generation, thus ensureing that electronic throttle system is a safe and reliable system.By taking redundant system on hardware, to parts and the monitoring of control unit itself on software, real-time to actual torque and the restriction of rotating speed, fully ensure that the safety of electronic throttle system.
Electronic throttle system consequence out of control is very serious, so sufficiently reliable security mechanism safeguards system must be had to be monitored in real time.
Summary of the invention
Therefore, in order to meet demand, simultaneously take account of the complexity of cost and algorithm, utilize one 8 monitoring chips and master chip mutually to monitor, reach the purpose of electronic throttle system safe operation.
It is an object of the invention to provide the software implementation method of a kind of electronic throttle chip secure monitoring, characteristic by the separate and mutual monitoring of master chip and monitoring chip, software algorithm is used to combine existing electric appliance component, these aspects such as the turn-off function of monitoring chip, storage region, instruction calculating, program flow operation, AD parts, eTPU clock whether normal operation.
Concrete technical scheme is as follows:
The software implementation method of a kind of electronic throttle chip secure monitoring, comprises the following steps:
One, path testing is turned off during lower electricity
Each driving cycle of test turning off path detects once, and the test turning off path occurs in lower electric process, and the test turning off path includes that master chip is to oil spout and the shutoff of electronic throttle, monitoring chip shutoff two parts to oil spout and electronic throttle;Shutoff duration when turning off path testing is 35ms, if faulty during turning off path testing, its maximum times resetted is 7;
Detection to whole RAM when two, powering on
The upper electrical testing of RAM is Exactly-once in an operation circulation,
1) in the way of liter address, in even address RAM, write 0x55, write 0xAA to odd address unit;
2) ram space of verification write, and in the way of liter address, in even address, write 0xAA, in odd address, write 0x55;
3) ram space of verification write, writes 0x00 in the way of liter address in ram space;
4) content in verification ram space, writes 0xFF to ram space in the way of dropping address;
5) content in verification ram space, writes 0x00 to ram space in the way of dropping address;
Three, RAM when system is properly functioning is periodically detected
1) data read-out in the ram space that will test is come, and stores an other panel region;
2) to RAM writes 0x55, read the content in RAM and whether verification is 0x55;
3) to RAM writes 0xAA, read the content in ram space and whether verification is 0xAA;
4) data are copied back in ram space again;
When four, powering on, eTPU code region (SCM) is detected
The CHECKSUM of the binary code array produced after first calculating the compiling of eTPU bottom, and be previously stored in one piece of FLASH, calculate the most again and copy the CHECKSUM of code inside SCM to, both is compared, checks whether to make mistakes;
When five, powering on, eTPU data area (SDM) is detected
1) in the way of liter address, in even address RAM, write 0x55, write 0xAA to odd address unit;
2) ram space of verification write, and in the way of liter address, in even address, write 0xAA, in odd address, write 0x55;
3) ram space of verification write, writes 0x00 in the way of liter address in ram space;
4) content in verification ram space, writes 0xFF to ram space in the way of dropping address;
5) content in verification ram space, writes 0x00 to ram space in the way of dropping address;
Six, periodic eTPU time monitoring
1) monitoring cycle period is 100ms, calculates the TCR1 value of each sign 10ms, is converted into the standard meter numerical value of CPU, it is subtracted each other with the sign count value of the 10ms of CPU, by that analogy until 100ms terminates, two data carry out subtracting each other 10 deviation values of generation, TDifference 1, TDifference 2, TDifference 3…TDifference 10
2) compare this 10 deviation values, draw deviation value and the minimum deviation value of maximum;
3) arrange MSD maximum standard deviation threshold values be 50, lowest standard deviation threshold values for-50,100ms accumulated standard deviation threshold values be 500;
4) if the maximum deflection difference value calculated in a monitoring circulation, more than given MSD maximum standard deviation threshold values 50, or minimum deviation value is less than given lowest standard deviation threshold values-50, then may determine that eTPU time counting has exception;
5) absolute value of 10 deviation values in a monitoring circulation is added up, if exceeding given 100ms accumulated standard deviation threshold values 500, it is also possible to judge that eTPU time counting has exception;
Seven, question and answer communication monitoring
1) monitoring chip and master chip are independent clock frequencies;
2) master chip and monitoring chip have independent error counter;
3) for the answer of certain problem, it is to be checked by instruction set test and program flow each to produce a local answer, is then added and the two local answer is calculated final answer is sent to monitoring chip.
4) problem and answer one_to_one corresponding.
5) threshold values of the error counter of master chip and monitoring chip is all 7, when errors number reaches threshold values, turns off electronic throttle gate drive signal and oil spout drives signal, system reset.
Eight, periodic instruction set test
1) whether first detection monitoring chip have sent new problem, i.e. checks the state flag bit of correspondence, if Status Flag is for being 1, then represents functional module and has received a new problem, enter the 2nd) step;If state flag bit is 0, then enter the 3rd) step;
2) by clear for the state flag bit of new problem 0, and obtain the information tested in problem about instruction set, and module count device corresponding for instruction set test is entered as 1, this shows i.e. to run first module, and answer corresponding for modules is the most also added the intermediate variable clear 0 drawn;
3) the module count device value superposition that instruction set is corresponding, in order to run modules successively.When each module run complete calculate answer time, these answer phase adductions are assigned to intermediate variable;Check whether the module of instruction set test is run complete, if not having, then continue to run with next module and calculate answer;If all modules have run through complete, then enter the 4th) step;
4) intermediate variable is assigned to the local answer variable that instruction set test is corresponding, and this variate-value is the part being sent to monitoring chip answer as final master chip.
Nine, periodic program flow detection
The monitoring circulation of program flow for 40ms, arrange one for the former multinomial P (X) verified and generator polynomial G (X), wherein the initial value of P (X) is 0x99;Generator polynomial G (X) is an array, and G (X) array number is 16, and the number of setting is respectively { 0x11,0x21,0x31,0x41,0xA2,0xB2,0XC2,0XD2,0x33,0x43,0x53,0x63,0x24,0x34,0x44,0x54}, each of which value and the position in array, be value corresponding to corresponding strategy control module and the order of execution;
Ten, periodic AD conversion detection
1) AD conversion detection ran within the 10ms cycle;
2) using a single ADC channel for the signals collecting of reference voltage, the passage of this passage and pedal sensor two-way redundant signals is separate;
3) reference voltage is a fixed voltage being previously set, and is set to 5V;
4) value of reference voltage signal is obtained, it may be judged whether in the range of threshold values (4.5,5.25);
5) if the value that collects of reference signal is within zone of reasonableness, being considered as the AD of device and gather no problem, otherwise error counter adds 1.
Preferably, the hardware requirement in described shutoff path and enforcement:
1) master chip shutoff path to oil spout: control the output of oil spout by controlling the output enable pin of MC33810, or directly made by software oil spout be output as 0;
2) master chip shutoff path to electronic throttle: turn off the driving of electronic throttle by controlling the DIS pin of TLE8209, or the most do not export electronic throttle gate drive signal by software;
3) monitoring chip shutoff path to oil spout: control the output of oil spout by controlling the output enable pin of MC33810;
4) monitoring chip shutoff path to electronic throttle: turn off the driving of electronic throttle by controlling the ABE pin of TLE8209.
In any of the above-described scheme preferably, the cycle that described RAM is periodically detected is 100ms, in the periodicity test of RAM is called, RAM is divided into a lot of little unit, each cell size is 64Byte, performing the test of the RAM of one of them junior unit, interruption to be closed in test process, to prevent other tasks change to RAM medium content in test process every time.
In any of the above-described scheme preferably, described eTPU and CPU is independent compiling platform, and when system is run, eTPU is to be stored in RAM with compiled binary system array form.
In any of the above-described scheme preferably, the time in eTPU is all to be characterized by time counting register (TCR1).
In any of the above-described scheme preferably, described question and answer communication is periodically to run, and the cycle is 80ms.
In any of the above-described scheme preferably, the test period of described instruction set test is 40ms, and the modules corresponding to instruction set test is required for being called once.
In any of the above-described scheme preferably, the step 5 in the detection of described periodic AD conversion) the value minimum of a value of error counter be 0, maximum threshold values is 7.
Compared with currently available technology, the present invention has beneficial effect, specifically:
The control algolithm of the present invention is integrated in single-chip microcomputer by the way of software, it is achieved convenient, and does not increase extra cost.Algorithm fully meets the mutual monitoring mechanism of the requirement that electronic throttle security monitoring is to be reached, master chip and monitoring chip, improves the security performance of automotive engine control, and system portability is high.
Accompanying drawing explanation
Fig. 1 be the electronic throttle chip secure monitoring of the present invention software implementation method in lower electricity time turn off the flow process frame diagram of path testing;
Fig. 2 be the electronic throttle chip secure monitoring of the present invention software implementation method in the data interaction schematic diagram of question and answer communication monitoring;
Fig. 3 be the electronic throttle chip secure monitoring of the present invention software implementation method in the time schematic diagram of mechanism of question and answer communication monitoring;
Fig. 4 be the electronic throttle chip secure monitoring of the present invention software implementation method in periodic instruction set test run flow chart;
Fig. 5 is the flow process frame diagram that in the software implementation method of the electronic throttle chip secure monitoring of the present invention, periodically program flow detects;
Fig. 6 is the flow process frame diagram that in the software implementation method of the electronic throttle chip secure monitoring of the present invention, periodically AD conversion detects.
Detailed description of the invention
Describing the present invention below according to accompanying drawing, it is a kind of preferred embodiment in numerous embodiments of the present invention.
A kind of software implementation method of electronic throttle chip secure monitoring, the method comprises the following steps:
One, path testing is turned off.
1., as it is shown in figure 1, the purpose turning off path testing is when an error occurs, can correctly close the output of actuator to ensure safety.
1) each driving cycle of test turning off path detects once.The test turning off path occurs in lower electric process, can not correctly implement if turning off path, and engine can not start.
2) test turning off path includes that master chip is to oil spout and the shutoff of electronic throttle, monitoring chip shutoff two parts to oil spout and electronic throttle.
3) shutoff duration when turning off path testing is 35ms.
4) if faulty during turning off path testing, its maximum times resetted is 7.
2. turn off hardware requirement and the enforcement in path
1) master chip shutoff path to oil spout: control the output of oil spout by controlling the output enable pin of MC33810, or directly made by software oil spout be output as 0.
2) master chip shutoff path to electronic throttle: turn off the driving of electronic throttle by controlling the DIS pin of TLE8209, or the most do not export electronic throttle gate drive signal by software.
3) monitoring chip shutoff path to oil spout: control the output of oil spout by controlling the output enable pin of MC33810.
4) monitoring chip shutoff path to electronic throttle: turn off the driving of electronic throttle by controlling the ABE pin of TLE8209.
RAM detection when two, powering on.
The purpose of RAM detection is to test the correctness of ram space physics rather than in order to test the correctness of RAM content, can be realized by read-write data checks.
The upper electrical testing of RAM is Exactly-once in an operation circulation, is the integrity test carrying out whole ram space, and method of testing is as follows:
1) in the way of liter address, in even address RAM, write 0x55, write 0xAA to odd address unit.
2) ram space of verification write.And in the way of liter address, in even address, write 0xAA, in odd address, write 0x55.
3) ram space of verification write.In ram space, 0x00. is write in the way of liter address
4) content in verification ram space.0xFF is write to ram space in the way of fall address.
5) content in verification ram space, writes 0x00 to ram space in the way of dropping address.
Three, RAM is periodically detected:
The cycle that RAM is periodically detected is 100ms, in the periodicity test of RAM is called, RAM is divided into a lot of little unit (each cell size is 64Byte), perform the test of the RAM of one of them junior unit every time, interruption to be closed in test process, to prevent other tasks change to RAM medium content in test process:
1) data read-out in the ram space that will test is come, and stores an other panel region;
2) to RAM writes 0x55.Read the content in RAM and whether verification is 0x55;
3) to RAM writes 0xAA.Read the content in ram space and whether verification is 0xAA;
4) data are copied back in ram space again.
ETPU code region (SCM) detection when four, powering on
ETPU and CPU is independent compiling platform, when system is run, eTPU is to be stored in RAM with compiled binary system array form, and its storage code region is referred to as shared code memory (SCM), and storage data area is referred to as shared data memory (SDM).The detection method of SCM is as follows:
The CHECKSUM of the binary code array produced after first calculating the compiling of eTPU bottom, and be previously stored in one piece of FLASH, calculate the most again and copy the CHECKSUM of code inside SCM to, both is compared, checks whether to make mistakes.
ETPU data area (SDM) detection when five, powering on
SDM itself is not easy to damage, and SDM test is to test the correctness of SDM space physics rather than in order to test the correctness of SDM content.Owing to eTPU is to process engine synchronization, oil spout igniting in real time, therefore normal system can not disturb SDM data area when of operation, can only carry out upper electrical testing, and its method of testing is identical with the method for ram test during aforementioned powering on, and no longer describes in detail.
Six, periodic eTPU time monitoring
Time in eTPU is all to be characterized by TCR1 (time counting register), and the value therefore monitoring TCR1 is to be highly desirable to, and the generation of direct relation engine torque is the most correct:
1) monitoring cycle period is 100ms, calculates the TCR1 value of each sign 10ms, is converted into the standard meter numerical value of CPU, it is subtracted each other with the sign count value of the 10ms of CPU.By that analogy until 100ms terminates.Two data carry out subtracting each other 10 deviation values of generation, TDifference 1, TDifference 2, TDifference 3…TDifference 10
2) compare this 10 deviation values, draw deviation value and the minimum deviation value of maximum.
3) arrange MSD maximum standard deviation threshold values be 50, lowest standard deviation threshold values for-50,100ms accumulated standard deviation threshold values be 500.
4) if the maximum deflection difference value calculated in a monitoring circulation, more than given MSD maximum standard deviation threshold values 50, or minimum deviation value is less than given lowest standard deviation threshold values-50, then may determine that eTPU time counting has exception.
5) absolute value of 10 deviation values in a monitoring circulation is added up, if exceeding given 100ms accumulated standard deviation threshold values 500, it is also possible to judge that eTPU time counting has exception.
Seven, question and answer communication monitoring
As in figure 2 it is shown, master chip and monitoring chip are communicated by SPI interface, realizing mutual monitoring function in the way of question and answer, concrete detection scheme mainly detects what these two approach realized by instruction set test and program flow.
1) monitoring chip and master chip are independent clock frequencies.
2) master chip and monitoring chip have independent error counter.
3) for the answer of certain problem, it is to be checked by instruction set test and program flow each to produce a local answer, is then added and the two local answer is calculated final answer is sent to monitoring chip.
4) problem and answer one_to_one corresponding.
5) threshold values of the error counter of master chip and monitoring chip is all 7, when errors number reaches threshold values, turns off electronic throttle gate drive signal and oil spout drives signal, system reset.
Question and answer communication is periodically to run, and the cycle is 80ms, a corresponding answer of problem.Its time mechanism is as shown in Figure 3:
1) in monitoring chip, after it receives the answer of a upper problem, then a new monitoring cycle i.e. starts.
2) for the starting point in a clear and definite monitoring cycle, in SPI, master chip can send 0X81 to monitoring chip every time.
3) a monitoring cycle is 80ms, if in 80ms, monitoring chip does not receive answer, then it is assumed that be a time out, and its error counter increases, and then waits that monitoring cycle starting point arrives next time, and recurrence of laying equal stress on serves a problem to master chip.
Eight, instruction set test
Instruction set test purpose is the most correct for the execution of control strategy security monitoring function by detection master chip, checks whether master chip is in properly functioning state.The algorithm abstraction of some strategic control modules is become the most directly instruction set as such in addition subtraction multiplication and division, the problem sent according to monitoring chip, test data set set in advance is tested to instruction set module as input value.One test period is 40ms, and the modules corresponding to instruction set test is required for being called once.
Such as, the specific instruction taken out according to each monitoring module of policy control is: A*B, A/B, (A-B) * C, A+B>C, A-B<C, A?B:(C-1), wherein A, B, C are respectively the input parameter of each instruction.Concrete instruction set test run flow process is as shown in Figure 4:
1) whether first detection monitoring chip have sent new problem, i.e. checks the state flag bit of correspondence, if Status Flag is for being 1, then represents functional module and has received a new problem, enter the 2nd) step;If state flag bit is 0, then enter the 3rd) step.
2) by clear for the state flag bit of new problem 0, and obtaining the information tested about instruction set in problem, and module count device corresponding for instruction set test is entered as 1, this shows i.e. to run first module.The most also answer corresponding for modules is added the intermediate variable clear 0 drawn.
3) the module count device value superposition that instruction set is corresponding, in order to run modules successively.When each module run complete calculate answer time, these answer phase adductions are assigned to intermediate variable.Check whether the module of instruction set test is run complete, if not having, then continue to run with next module and calculate answer;If all modules have run through complete, then enter the 4th) step.
4) intermediate variable is assigned to the local answer variable that instruction set test is corresponding, and this variate-value is the part being sent to monitoring chip answer as final master chip.
Nine, program flow detection
The purpose of program flow inspection is used to inspection policies and controls all program modules relevant to security monitoring, whether perform within the time cycle of regulation, and the execution order of these modules is the most correct, but can not detect that the logic of policy control code is the most wrong.
The monitoring circulation of one program flow is 40ms, arranges one for the former multinomial P (X) verified and generator polynomial G (X).Wherein the initial value of P (X) is 0x99;Generator polynomial G (X) is an array, and G (X) array number is 16, and the number of setting is respectively { 0x11,0x21,0x31,0x41,0xA2,0xB2,0XC2,0XD2,0x33,0x43,0x53,0x63,0x24,0x34,0x44,0x54}, each of which value and the position in array, be value corresponding to corresponding strategy control module and the order of execution.
In policing algorithm, the subscript according to G (X) is different, and algorithm also can be different, as shown in Figure 5:
1) when being designated as even number under G (X), as a example by G (X) [0], first P (X) XOR G (X) [0], its result is assigned to P (X), that is to say P (X)=P (X) ^G (X) [0];Then the P (X) updated being added G (X) [0], its result is re-used as new P (X), that is to say P (X)=P (X)+G (X) [0].G (X) processing method being designated as even number under other is identical with this.
2) when being designated as odd number under G (X), as a example by G (X) [1], first P (X) or G (X) [1], its result is assigned to P (X), that is to say P (X)=P (X) | G (X) [1];Then P (X) XOR G (X) [1] again that will update, its result is re-used as new P (X), that is to say P (X)=P (X) ^G (X) [1].G (X) processing method being designated as odd number under other is identical with this.
Equally in needing monitored strategic control module, monitoring each module successively, G (X) in policy module and program flow monitor G (X) one_to_one corresponding in function inside generator polynomial array.In the module that odd number order performs, program header performs P (X)=P (X) ^G (X), and program tail performs P (X)=P (X)+G (X);In the module that even number order performs, program header performs P (X)=P (X) | and G (X), program tail performs P (X)=P (X) ^G (X).All modules have performed in 40ms, the P (X) of its policy module finally produced P (X) value and monitoring function compares, if it is identical, then represent all monitored policy modules to have performed in 40ms and execution order is correct, otherwise error counter adds up, error counter value threshold values is 7, when a threshold is reached, system reset.
Ten, AD conversion detection
The purpose of the AD conversion monitoring mainly detection contingent mistake of following two: 1) two-way pedal sensor AD conversion value is inconsistent;2) AD sampled value exceeds zone of reasonableness.As shown in Figure 6:
1) AD conversion detection ran within the 10ms cycle.
2) using a single ADC channel for the signals collecting of reference voltage, the passage of this passage and pedal sensor two-way redundant signals is separate.
3) reference voltage is a fixed voltage being previously set, and is set to 5V.
4) value of reference voltage signal is obtained, it may be judged whether in the range of threshold values (4.5,5.25).
5) if the value that collects of reference signal is within zone of reasonableness, being considered as the AD of device and gather no problem, otherwise error counter adds 1.The value minimum of a value of error counter is 0, and maximum threshold values is 7.
These assemblies are intrinsic assemblies on automobile, it is not necessary to additionally increase.Control algolithm is integrated in single-chip microcomputer by the way of software, it is achieved convenient, and does not increase extra cost.The present invention is that master chip, 8 chip MC9S08SG8 realize as monitoring chip by Freescale MPC563X series monolithic.
The algorithm of the present invention fully meets the mutual monitoring mechanism of the requirement that electronic throttle security monitoring is to be reached, master chip and monitoring chip, improves the security performance of automotive engine control, and system portability is high.
Above in conjunction with accompanying drawing, the present invention is exemplarily described; obviously the present invention implements and is not subject to the restrictions described above; if the various improvement that the method design that have employed the present invention is carried out with technical scheme; or it is the most improved that directly apply to other occasion, all within protection scope of the present invention.

Claims (8)

1. the software implementation method of an electronic throttle chip secure monitoring, it is characterised in that comprise the following steps:
One, path testing is turned off during lower electricity
Each driving cycle of test turning off path detects once, and the test turning off path occurs in lower electric process, closes open circuit The test in footpath includes that master chip is to oil spout and the shutoff of electronic throttle, the monitoring chip shutoff two to oil spout and electronic throttle Point;Shutoff duration when turning off path testing is 35ms, if faulty during turning off path testing, its maximum resetted Number of times is 7;
Detection to whole RAM when two, powering on
The upper electrical testing of RAM is Exactly-once in an operation circulation,
1) in the way of liter address, in even address RAM, write 0x55, write 0xAA to odd address unit;
2) ram space of verification write, and in the way of liter address, in even address, write 0xAA, in odd address, write 0x55;
3) ram space of verification write, writes 0x00 in the way of liter address in ram space;
4) content in verification ram space, writes 0xFF to ram space in the way of dropping address;
5) content in verification ram space, writes 0x00 to ram space in the way of dropping address;
Three, RAM when system is properly functioning is periodically detected
1) data read-out in the ram space that will test is come, and stores an other panel region;
2) to RAM writes 0x55, read the content in RAM and whether verification is 0x55;
3) to RAM writes 0xAA, read the content in ram space and whether verification is 0xAA;
4) data are copied back in ram space again;
When four, powering on, eTPU code region (SCM) is detected
The CHECKSUM of the binary code array produced after first calculating the compiling of eTPU bottom, and be previously stored in In one piece of FLASH, calculate the most again and copy the CHECKSUM of code inside SCM to, both is compared, inspection Whether make mistakes;
When five, powering on, eTPU data area (SDM) is detected
1) in the way of liter address, in even address RAM, write 0x55, write 0xAA to odd address unit;
2) ram space of verification write, and in the way of liter address, in even address, write 0xAA, in odd address, write 0x55;
3) ram space of verification write, writes 0x00 in the way of liter address in ram space;
4) content in verification ram space, writes 0xFF to ram space in the way of dropping address;
5) content in verification ram space, writes 0x00 to ram space in the way of dropping address;
Six, periodic eTPU time monitoring
1) monitoring cycle period is 100ms, calculates the TCR1 value of each sign 10ms, is converted into the standard meter numerical value of CPU, It being subtracted each other with the sign count value of the 10ms of CPU, by that analogy until 100ms terminates, two data are subtracted each other Produce 10 deviation values, TDiffer from 1, TDiffer from 2, TDiffer from 3…TDiffer from 10
2) compare this 10 deviation values, draw deviation value and the minimum deviation value of maximum;
3) arrange MSD maximum standard deviation threshold values be 50, lowest standard deviation threshold values for-50,100ms accumulated standard deviation threshold values be 500;
4) if the maximum deflection difference value calculated in a monitoring circulation, it is more than given MSD maximum standard deviation threshold values 50, or Minimum deviation value less than given lowest standard deviation threshold values-50, then may determine that eTPU time counting has exception;
5) absolute value of 10 deviation values in a monitoring circulation is added up, if exceeding the accumulative mark of given 100ms Quasi-variance thresholds 500, it is also possible to judge that eTPU time counting has exception;
Seven, question and answer communication monitoring
1) monitoring chip and master chip are independent clock frequencies;
2) master chip and monitoring chip have independent error counter;
3) for the answer of certain problem, it is to be checked by instruction set test and program flow each to produce a local answer, then The two local answer is calculated final answer and is sent to monitoring chip by addition;
4) problem and answer one_to_one corresponding;
5) threshold values of the error counter of master chip and monitoring chip is all 7, when errors number reaches threshold values, turns off electronics joint Valve actuation signal and oil spout drive signal, system reset;
Eight, periodic instruction set test
1) whether first detection monitoring chip have sent new problem, i.e. checks the state flag bit of correspondence, if Status Flag is yes 1, then represent functional module and received a new problem, enter the 2nd) step;If state flag bit is 0, then enter the 3rd) Step;
2) by clear for the state flag bit of new problem 0, and obtain the information tested about instruction set in problem, and instruction set is tested Corresponding module count device is entered as 1, and this shows i.e. to run first module, the most also by answer corresponding for modules It is added the intermediate variable clear 0 drawn;
3) the module count device value superposition that instruction set is corresponding, in order to run modules successively;When each module runs complete calculating When going out answer, these answer phase adductions are assigned to intermediate variable;Check whether the module of instruction set test is run complete, if not having Have, then continue to run with next module and calculate answer;If all modules have run through complete, then enter the 4th) step;
4) intermediate variable is assigned to the local answer variable that instruction set test is corresponding, and this variate-value is to send out as final master chip Give a part for monitoring chip answer;
Nine, periodic program flow detection
The monitoring circulation of program flow for 40ms, arrange one for the former multinomial P (X) verified and generator polynomial G (X), its The initial value of middle P (X) is 0x99;Generator polynomial G (X) is an array, and G (X) array number is 16, and the number of setting is respectively For 0x11,0x21,0x31,0x41,0xA2,0xB2,0XC2,0XD2,0x33,0x43,0x53,0 x63,0x24,0x34, 0x44,0x54}, each of which value and the position in array, be value corresponding to corresponding strategy control module and the order of execution;
Ten, periodic AD conversion detection
1) AD conversion detection ran within the 10ms cycle;
2) use a single ADC channel for the signals collecting of reference voltage, this passage and pedal sensor two-way redundancy letter Number passage separate;
3) reference voltage is a fixed voltage being previously set, and is set to 5V;
4) value of reference voltage signal is obtained, it may be judged whether in the range of threshold values (4.5,5.25);
5) if the value that collects of reference signal is within zone of reasonableness, be considered as the AD of device gather no problem, otherwise mistake Counter adds 1.
The software implementation method of electronic throttle chip secure the most according to claim 1 monitoring, it is characterised in that described pass The hardware requirement in open circuit footpath and enforcement:
1) master chip shutoff path to oil spout: control the output of oil spout by controlling the output enable pin of MC33810, or Directly made oil spout be output as 0 by software;
2) master chip shutoff path to electronic throttle: turn off electronic throttle by controlling the DIS pin of TLE8209 Drive, or the most do not export electronic throttle gate drive signal by software;
3) monitoring chip shutoff path to oil spout: control the output of oil spout by controlling the output enable pin of MC33810;
4) monitoring chip shutoff path to electronic throttle: turn off electronics joint by controlling the ABE pin of TLE8209 The driving of valve.
The software implementation method of electronic throttle chip secure the most according to claim 1 and 2 monitoring, it is characterised in that The cycle that described RAM is periodically detected is 100ms, in the periodicity test of RAM is called, RAM will be divided into a lot of Little unit, each cell size is 64Byte, performs the test of the RAM of one of them junior unit every time, in test During interruption to be closed, to prevent other tasks change to RAM medium content in test process.
4. the software implementation method monitored according to the electronic throttle chip secure described in claim 1-3, it is characterised in that institute Stating eTPU and CPU is independent compiling platform, and when system is run, eTPU is to be deposited with compiled binary system array form Store up in RAM.
5. the software implementation method monitored according to the electronic throttle chip secure described in claim 1-4, it is characterised in that Time in eTPU is all to be characterized by time counting register (TCR1).
6. the software implementation method monitored according to the electronic throttle chip secure described in claim 1-5, it is characterised in that institute Stating question and answer communication is periodically to run, and the cycle is 80ms.
7. the software implementation method monitored according to the electronic throttle chip secure described in claim 1-6, it is characterised in that described The test period of instruction set test is 40ms, and the modules corresponding to instruction set test is required for being called once.
8. the software implementation method monitored according to the electronic throttle chip secure described in claim 1-7, it is characterised in that institute State the step 5 in the detection of periodic AD conversion) the value minimum of a value of error counter be 0, maximum threshold values is 7.
CN201610024392.4A 2016-01-13 2016-01-13 A kind of software implementation method of electronic throttle chip secure monitoring Active CN105760253B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610024392.4A CN105760253B (en) 2016-01-13 2016-01-13 A kind of software implementation method of electronic throttle chip secure monitoring

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610024392.4A CN105760253B (en) 2016-01-13 2016-01-13 A kind of software implementation method of electronic throttle chip secure monitoring

Publications (2)

Publication Number Publication Date
CN105760253A true CN105760253A (en) 2016-07-13
CN105760253B CN105760253B (en) 2018-08-10

Family

ID=56342374

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610024392.4A Active CN105760253B (en) 2016-01-13 2016-01-13 A kind of software implementation method of electronic throttle chip secure monitoring

Country Status (1)

Country Link
CN (1) CN105760253B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107256012A (en) * 2017-05-02 2017-10-17 北京欧鹏巴赫新能源科技股份有限公司 A kind of utilization CIC61508's feeds the method that dog mechanism realizes multi-task monitoring
CN108153285A (en) * 2017-12-28 2018-06-12 上汽通用五菱汽车股份有限公司 Automotive safety monitoring method, device, storage medium and system
CN109271288A (en) * 2017-07-17 2019-01-25 展讯通信(上海)有限公司 Performance estimating method before processor silicon
CN110908932A (en) * 2018-09-18 2020-03-24 新唐科技股份有限公司 Data processing apparatus and data protection method thereof
CN113296430A (en) * 2021-04-13 2021-08-24 东风汽车集团股份有限公司 Method and system for monitoring logical operation data flow fault of master-slave chip processing unit
CN113608951A (en) * 2021-07-27 2021-11-05 际络科技(上海)有限公司 Chip state detection method and system, electronic device and readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH06175990A (en) * 1992-12-08 1994-06-24 Fujitsu Ltd Interprocessor communication testing method
CN101533376A (en) * 2008-03-12 2009-09-16 通用汽车环球科技运作公司 Securing safety-critical variables
CN201587405U (en) * 2010-01-12 2010-09-22 同济大学 Entire vehicle controller based on MPC 555 in hybrid urban motor bus
CN202402149U (en) * 2011-12-16 2012-08-29 中国第一汽车股份有限公司 ECU safety monitoring module of natural gas engine

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH06175990A (en) * 1992-12-08 1994-06-24 Fujitsu Ltd Interprocessor communication testing method
CN101533376A (en) * 2008-03-12 2009-09-16 通用汽车环球科技运作公司 Securing safety-critical variables
CN201587405U (en) * 2010-01-12 2010-09-22 同济大学 Entire vehicle controller based on MPC 555 in hybrid urban motor bus
CN202402149U (en) * 2011-12-16 2012-08-29 中国第一汽车股份有限公司 ECU safety monitoring module of natural gas engine

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107256012A (en) * 2017-05-02 2017-10-17 北京欧鹏巴赫新能源科技股份有限公司 A kind of utilization CIC61508's feeds the method that dog mechanism realizes multi-task monitoring
CN107256012B (en) * 2017-05-02 2020-01-21 北京欧鹏巴赫新能源科技股份有限公司 Method for realizing multi-task monitoring by using CIC61508 dog feeding mechanism
CN109271288A (en) * 2017-07-17 2019-01-25 展讯通信(上海)有限公司 Performance estimating method before processor silicon
CN109271288B (en) * 2017-07-17 2021-09-21 展讯通信(上海)有限公司 Method for evaluating performance of processor before silicon
CN108153285A (en) * 2017-12-28 2018-06-12 上汽通用五菱汽车股份有限公司 Automotive safety monitoring method, device, storage medium and system
CN110908932A (en) * 2018-09-18 2020-03-24 新唐科技股份有限公司 Data processing apparatus and data protection method thereof
CN110908932B (en) * 2018-09-18 2022-03-25 新唐科技股份有限公司 Data processing apparatus and data protection method thereof
CN113296430A (en) * 2021-04-13 2021-08-24 东风汽车集团股份有限公司 Method and system for monitoring logical operation data flow fault of master-slave chip processing unit
CN113608951A (en) * 2021-07-27 2021-11-05 际络科技(上海)有限公司 Chip state detection method and system, electronic device and readable storage medium
CN113608951B (en) * 2021-07-27 2023-10-03 际络科技(上海)有限公司 Chip state detection method and system, electronic device and readable storage medium

Also Published As

Publication number Publication date
CN105760253B (en) 2018-08-10

Similar Documents

Publication Publication Date Title
CN105760253A (en) Software implementation method for electronic throttle valve chip security monitoring
CN108229049B (en) Method for performing task reliability modeling of multi-state system based on performance model
CN100454196C (en) Method for verifying safety apparatus and safety apparatus verified by the same
CN102521062B (en) Software fault-tolerant method capable of comprehensively on-line self-detection single event upset
CN111007713A (en) Heterogeneous redundant vehicle control unit conforming to functional safety
CN106250709A (en) Gas turbine abnormality detection based on sensors association network and fault diagnosis algorithm
CN104484255B (en) A kind of verification system level single-particle soft error misses the direct fault location device of protective capacities
US20180349259A1 (en) Method for executing programs in an electronic system for applications with functional safety comprising a plurality of processors, corresponding system and computer program product
CN107271921A (en) Current acquisition method and device, battery management system and electric automobile
CN101477376A (en) Fault injection device and method for spacecraft actuating mechanism
CN103718119A (en) Method and apparatus for automatically creating an executable safety function for a device
CN113474772B (en) Method for improving the security of a component or system running firmware or a finite state machine
Morozov et al. Openerrorpro: A new tool for stochastic model-based reliability and resilience analysis
Ubayashi et al. Context-dependent product line practice for constructing reliable embedded systems
CN116661773A (en) Sensor fault detection method and device
CN103543739A (en) Simulation system and simulation method for verifying idling start and stop control on engine
KR20220015233A (en) Fault diagnosis system and method based on rule and machine learning using public data of building energy
CN112035996A (en) Equipment testability integrated design and evaluation system
Lahtinen Hardware failure modelling methodology for model checking
CN106773887A (en) A kind of programmable I/O safety governor for robot
Cordeiro et al. Smt-based context-bounded model checking for embedded systems: Challenges and future trends
Yang et al. The effect of time-between-events for sequence interaction testing of a real-time system
Grießnig et al. Design and implementation of safety functions on a novel CPLD-based fail-safe system architecture
Matsubara et al. Model checking with program slicing based on variable dependence graphs
CN105335177A (en) Test method, test device and test system of embedded system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant