CN105760253B - A kind of software implementation method of electronic throttle chip secure monitoring - Google Patents

A kind of software implementation method of electronic throttle chip secure monitoring Download PDF

Info

Publication number
CN105760253B
CN105760253B CN201610024392.4A CN201610024392A CN105760253B CN 105760253 B CN105760253 B CN 105760253B CN 201610024392 A CN201610024392 A CN 201610024392A CN 105760253 B CN105760253 B CN 105760253B
Authority
CN
China
Prior art keywords
ram
monitoring
chip
electronic throttle
written
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610024392.4A
Other languages
Chinese (zh)
Other versions
CN105760253A (en
Inventor
张建民
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chery Automobile Co Ltd
Original Assignee
SAIC Chery Automobile Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SAIC Chery Automobile Co Ltd filed Critical SAIC Chery Automobile Co Ltd
Priority to CN201610024392.4A priority Critical patent/CN105760253B/en
Publication of CN105760253A publication Critical patent/CN105760253A/en
Application granted granted Critical
Publication of CN105760253B publication Critical patent/CN105760253B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1415Saving, restoring, recovering or retrying at system level
    • G06F11/1417Boot up procedures
    • FMECHANICAL ENGINEERING; LIGHTING; HEATING; WEAPONS; BLASTING
    • F02COMBUSTION ENGINES; HOT-GAS OR COMBUSTION-PRODUCT ENGINE PLANTS
    • F02DCONTROLLING COMBUSTION ENGINES
    • F02D41/00Electrical control of supply of combustible mixture or its constituents
    • F02D41/22Safety or indicating devices for abnormal conditions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
    • G06F11/2247Verification or detection of system hardware configuration
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
    • G06F11/2273Test methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
    • G06F11/2284Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing by power-on test, e.g. power-on self test [POST]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02TCLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO TRANSPORTATION
    • Y02T10/00Road transport of goods or passengers
    • Y02T10/10Internal combustion engine [ICE] based vehicles
    • Y02T10/40Engine management systems

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Chemical & Material Sciences (AREA)
  • Combustion & Propulsion (AREA)
  • Mechanical Engineering (AREA)
  • Combined Controls Of Internal Combustion Engines (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The present invention relates to a kind of software implementation methods of electronic throttle chip secure monitoring, include the following steps:RAM when turning off path testing when lower electricity, powering on to detection, the system normal operation of entire RAM is detected to the data areas eTPU (SDM) detection, periodic eTPU time monitorings, question and answer communication monitoring, the test of periodic instruction set, periodic program flow when the code regions eTPU (SCM) being detected, powered on when being periodically detected, powering on and periodically AD conversion detects.The present invention fully meets the requirement to be achieved of electronic throttle security monitoring institute, and the mutual monitoring mechanism of master chip and monitoring chip improves the security performance of automotive engine control, and system portability is high.

Description

A kind of software implementation method of electronic throttle chip secure monitoring
Technical field
The invention belongs to field of automobile electronic control, and in particular to a kind of software of electronic throttle chip secure monitoring is real Existing method.
Background technology
Using electronic throttle system, air throttle is all driven by motor in entire open range, and engine can be with The position of valve is adjusted independently of throttle position.When there is signal error, software error or hardware error, in order to prevent Electronic throttle is out of control and is led to danger, and security legislation requires electronic throttle system that should possess a set of independent monitoring unit use In the operation of detection main control chip oil spout, ETC air inlet modules can be closed when monitoring system finds monitoring project failure simultaneously The failure occurred is recorded, to ensure that electronic throttle system is a safe and reliable system.It is superfluous by being taken on hardware Remaining system, the monitoring on software to component and control unit itself fully ensure that in real time to the limitation of actual torque and rotating speed The safety of electronic throttle system.
Electronic throttle system consequence out of control is very serious, so must have sufficiently reliable security mechanism safeguards system It can be monitored in real time.
Invention content
Therefore, for meet demand, while in view of the complexity of cost and algorithm, using one 8 monitoring chips and Master chip mutually monitors, and achievees the purpose that electronic throttle system safe operation.
The purpose of the present invention is to provide a kind of software implementation methods of electronic throttle chip secure monitoring, pass through main core Piece and monitoring chip monitor chip with the characteristic mutually monitored with the existing electric appliance component of software algorithm combination independently of each other Turn-off function, storage region, instruction calculatings, program flow operation, AD components, eTPU clocks etc. in terms of these whether normal operation.
Specific technical solution is as follows:
A kind of software implementation method of electronic throttle chip secure monitoring, includes the following steps:
One, path testing is turned off when lower electricity
Turning off the detection of each driving cycle of the test in path once, the test for turning off path is happened in lower electric process, The test in shutdown path includes master chip to the shutdown of oil spout and electronic throttle, monitoring chip to oil spout and electronic throttle Turn off two parts;Shutdown duration when turning off path testing is 35ms, if faulty during shutdown path testing, is answered The maximum times of position are 7;
To the detection of entire RAM when two, powering on
The power up test of RAM Exactly-once in an operation circulation,
1) in a manner of liter address, 0x55 is written into even address RAM, 0xAA is written to odd address unit;
2) ram space of verification write-in, and 0xAA is written into even address in a manner of liter address, it is written into odd address 0x55;
3) ram space of verification write-in, 0x00 is written into ram space in a manner of liter address;
4) content in ram space is verified, 0xFF is written to ram space in a manner of dropping address;
5) content in ram space is verified, 0x00 is written to ram space in a manner of dropping address;
Three, RAM when system normal operation is periodically detected
1) data in ram space to be tested are read out, and stores and arrives an other panel region;
2) whether to 0x55 is written in RAM, it is 0x55 to read the content in RAM and verify;
3) whether to 0xAA is written in RAM, it is 0xAA to read the content in ram space and verify;
4) data are copied in the ram space that goes back again;
The code regions eTPU (SCM) is detected when four, powering on
The CHECKSUM of the binary code array generated after the compiling of eTPU bottoms is calculated first, and is previously stored In one piece of FLASH, the CHECKSUM for copying code inside SCM to is then calculated again, the two is compared, is checked whether Error;
The data areas eTPU (SDM) is detected when five, powering on
1) in a manner of liter address, 0x55 is written into even address RAM, 0xAA is written to odd address unit;
2) ram space of verification write-in, and 0xAA is written into even address in a manner of liter address, it is written into odd address 0x55;
3) ram space of verification write-in, 0x00 is written into ram space in a manner of liter address;
4) content in ram space is verified, 0xFF is written to ram space in a manner of dropping address;
5) content in ram space is verified, 0x00 is written to ram space in a manner of dropping address;
Six, periodic eTPU time monitorings
1) monitoring cycle period is 100ms, calculates the TCR1 values of each characterization 10ms, is converted into the standard count value of CPU, The characterization count value of the 10ms of itself and CPU are subtracted each other, and so on until 100ms terminates, two data are subtracted each other Generate 10 deviations, TPoor 1, TPoor 2, TPoor 3…TPoor 10
2) compare this 10 deviations, obtain maximum deviation and minimum deviation value;
3) setting MSD maximum standard deviation threshold values is 50, lowest standard deviation threshold values is -50,100ms accumulated standard deviation valves Value is 500;
If 4) maximum deflection difference value calculated in monitoring cycle at one, is more than given MSD maximum standard deviation threshold values 50, Or minimum deviation value is less than given lowest standard deviation threshold values -50, then may determine that eTPU time countings have exception;
5) absolute value of 10 deviations in a monitoring cycle is added up, if accumulative more than given 100ms Standard deviation threshold values 500 can also judge that eTPU time countings have exception;
Seven, question and answer communication monitoring
1) monitoring chip and master chip are independent clock frequencies;
2) master chip and monitoring chip possess independent error counter;
3) it is directed to the answer of some problem, is respectively to be generated a part by instruction set test and program flow inspection and answered Then case is added and the two local answers are calculated final answer is sent to monitoring chip.
4) problem and answer correspond.
5) threshold values of the error counter of master chip and monitoring chip is all 7, when errors number reaches threshold values, shutdown electricity Sub- throttle actuation signal and oil spout drive signal, system reset.
Eight, periodic instruction set test
1) whether detection monitoring chip first has sent new problem, that is, corresponding state flag bit is checked, if Status Flag It to be 1, then represents function module and has received a new problem, into the 2) step;If state flag bit is 0, enter the 3) step;
2) by the state flag bit of new problem clear 0, and the information in acquisition problem about instruction set test, and by instruction set It tests corresponding module count device and is assigned a value of 1, this shows run first module, in addition also that modules are corresponding Answer is added the intermediate variable clear 0 obtained;
3) the corresponding module count device value superposition of instruction set, to run modules successively.When each module has been run Finish when calculating answer, these answer phase adductions are assigned to intermediate variable;Check whether the module of instruction set test has run Finish, if not having, continues to run with next module and calculate answer;If all modules have run through complete, enter the 4) step;
4) intermediate variable is assigned to the corresponding local answer variable of instruction set test, this variate-value is as final main core Piece is sent to a part for monitoring chip answer.
Nine, periodic program flow detection
The monitoring cycle of program flow is 40ms, one former multinomial P (X) for being used for verifying of setting and generator polynomial G (X), the initial value of wherein P (X) is 0x99;Generator polynomial G (X) is an array, and G (X) array number is 16, the number of setting Respectively 0x11,0x21,0x31,0x41,0xA2,0xB2,0XC2,0XD2,0x33,0x43,0x53,0 x63,0x24,0x34, 0x44,0x54 }, each of which value and the position in array are the sequences of the corresponding value of corresponding strategy control module and execution;
Ten, periodic AD conversion detection
1) AD conversion detection is run within the 10ms periods;
2) using an individual ADC channel for the signal acquisition of reference voltage, this channel and pedal sensor two-way The channel of redundant signals is mutual indepedent;
3) reference voltage is a fixed voltage being previously set, and is set as 5V;
4) value for obtaining reference voltage signal, judges whether in threshold values (4.5,5.25) range;
If 5) reference signal it is collected value within zone of reasonableness, be considered as device AD acquisition there is no problem, it is no Then error counter adds 1.
Preferably, the hardware requirement in the shutdown path and implementation:
1) shutdown path of the master chip to oil spout:The defeated of oil spout is controlled by controlling the output enable pin of MC33810 Go out, or directly makes oil spout output be 0 by software;
2) shutdown path of the master chip to electronic throttle:Electronic throttle is turned off by controlling the DIS pins of TLE8209 The driving of door, or electronic throttle gate drive signal is not exported directly by software;
3) shutdown path of the monitoring chip to oil spout:Oil spout is controlled by controlling the output enable pin of MC33810 Output;
4) shutdown path of the monitoring chip to electronic throttle:Electronics section is turned off by controlling the ABE pins of TLE8209 The driving of valve.
In any of the above-described scheme preferably, the period that the RAM is periodically detected is 100ms, in the periodicity of RAM It is many small units by RAM points, each cell size is 64Byte, executes one of those every time during test is called The test of the RAM of junior unit will close interruption during the test, with prevent during the test other tasks to RAM among The change of content.
In any of the above-described scheme preferably, the eTPU and CPU are independent compiling platforms, when system operation, ETPU is stored in RAM with compiled binary system array form.
In any of the above-described scheme preferably, the time in eTPU is all by time counting register (TCR1) come table Sign.
In any of the above-described scheme preferably, the question and answer communication is periodically to run, period 80ms.
In any of the above-described scheme preferably, the test period of described instruction collection test is 40ms, and instruction set is tested Corresponding modules are required for called primary.
In any of the above-described scheme preferably, the error counter of the step 5) in the periodic AD conversion detection Value minimum value be 0, maximum threshold values be 7.
Compared with currently available technology, the present invention has beneficial effect, specifically:
The control algolithm of the present invention is integrated in by way of software in microcontroller, and it is convenient to realize, and do not increase additionally at This.Algorithm fully meets the requirement to be achieved of electronic throttle security monitoring institute, the mutual monitoring of master chip and monitoring chip Mechanism improves the security performance of automotive engine control, and system portability is high.
Description of the drawings
Fig. 1 turns off path testing when being lower electricity in the software implementation method that the electronic throttle chip secure of the present invention monitors Flow frame diagram;
Fig. 2 is the data of question and answer communication monitoring in the software implementation method that the electronic throttle chip secure of the present invention monitors Interaction schematic diagram;
Fig. 3 is the time of question and answer communication monitoring in the software implementation method that the electronic throttle chip secure of the present invention monitors Schematic diagram of mechanism;
Fig. 4 is periodically instruction set test in the software implementation method that the electronic throttle chip secure of the present invention monitors Operational flow diagram;
Fig. 5 is periodically program flow detection in the software implementation method that the electronic throttle chip secure of the present invention monitors Flow frame diagram;
Fig. 6 is periodically AD conversion detection in the software implementation method that the electronic throttle chip secure of the present invention monitors Flow frame diagram.
Specific implementation mode
Below according to attached drawing, the present invention will be described in detail, is a kind of preferred reality in numerous embodiments of the present invention Apply example.
A kind of software implementation method of electronic throttle chip secure monitoring, this approach includes the following steps:
One, path testing is turned off.
1. as shown in Figure 1, shutdown path testing purpose be when an error occurs, can correctly close the output of actuator with Ensure safety.
1) test in shutdown path each driving cycle detection is primary.The test in shutdown path is happened at lower electric process In, if shutdown path cannot correctly implement, engine cannot start.
2) test in shutdown path includes shutdown of the master chip to oil spout and electronic throttle, and monitoring chip is to oil spout and electricity Shutdown two parts of sub- air throttle.
3) shutdown duration when turning off path testing is 35ms.
If 4) faulty during shutdown path testing, the maximum times resetted are 7.
2. turning off hardware requirement and the implementation in path
1) shutdown path of the master chip to oil spout:The defeated of oil spout is controlled by controlling the output enable pin of MC33810 Go out, or directly makes oil spout output be 0 by software.
2) shutdown path of the master chip to electronic throttle:Electronic throttle is turned off by controlling the DIS pins of TLE8209 The driving of door, or electronic throttle gate drive signal is not exported directly by software.
3) shutdown path of the monitoring chip to oil spout:Oil spout is controlled by controlling the output enable pin of MC33810 Output.
4) shutdown path of the monitoring chip to electronic throttle:Electronics section is turned off by controlling the ABE pins of TLE8209 The driving of valve.
RAM detections when two, powering on.
The purpose of RAM detections is in order to test the correctness of ram space physics, rather than in order to test RAM contents just True property can be realized by reading and writing data inspection.
The power up test of RAM Exactly-once in an operation circulation is the integrality carried out to entire ram space Test, test method are as follows:
1) in a manner of liter address, 0x55 is written into even address RAM, 0xAA is written to odd address unit.
2) ram space of verification write-in.And 0xAA is written into even address in a manner of liter address, it is written into odd address 0x55。
3) ram space of verification write-in.0x00 is written into ram space in a manner of liter address.
4) content in ram space is verified.0xFF is written to ram space in a manner of dropping address.
5) content in ram space is verified, 0x00 is written to ram space in a manner of dropping address.
Three, RAM is periodically detected:
The period that RAM is periodically detected is 100ms, is many by RAM points in the periodical test of RAM is called Small unit (each cell size is 64Byte), executes the test of the RAM of one of junior unit, in test process every time In to close interruption, to prevent change of other tasks to RAM medium contents during the test:
1) data in ram space to be tested are read out, and stores and arrives an other panel region;
2) to 0x55 is written in RAM.Whether read the content in RAM and verify is 0x55;
3) to 0xAA is written in RAM.Whether read the content in ram space and verify is 0xAA;
4) data are copied in the ram space that goes back again.
The code regions eTPU (SCM) detection when four, powering on
ETPU and CPU is independent compiling platform, and when system operation, eTPU is with compiled binary system array form quilt It stores in RAM, store code region is known as shared code memory (SCM), and storage data field domain is known as shared data memory(SDM).The detection method of SCM is as follows:
The CHECKSUM of the binary code array generated after the compiling of eTPU bottoms is calculated first, and is previously stored In one piece of FLASH, the CHECKSUM for copying code inside SCM to is then calculated again, the two is compared, is checked whether Error.
The data areas eTPU (SDM) detection when five, powering on
SDM itself is less likely to be damaged, and SDM tests are in order to test the correctness of SDM space physics, rather than in order to test The correctness of SDM contents.Since eTPU is real-time processing engine synchronization, oil spout igniting, when normal system is run The data areas SDM cannot be interfered, power up test can only be carried out, test method is identical as the method for ram test when aforementioned power on, No longer it is described in detail.
Six, periodic eTPU time monitorings
Time in eTPU is all to be characterized by TCR1 (time counting register), therefore the value for monitoring TCR1 is very It is necessary to whether the generation of direct relation engine torque is correct:
1) monitoring cycle period is 100ms, calculates the TCR1 values of each characterization 10ms, is converted into the standard count value of CPU, The characterization count value of the 10ms of itself and CPU are subtracted each other.And so on until 100ms terminate.Two data are subtracted each other Generate 10 deviations, TPoor 1, TPoor 2, TPoor 3…TPoor 10
2) compare this 10 deviations, obtain maximum deviation and minimum deviation value.
3) setting MSD maximum standard deviation threshold values is 50, lowest standard deviation threshold values is -50,100ms accumulated standard deviation valves Value is 500.
If 4) maximum deflection difference value calculated in monitoring cycle at one, is more than given MSD maximum standard deviation threshold values 50, Or minimum deviation value is less than given lowest standard deviation threshold values -50, then may determine that eTPU time countings have exception.
5) absolute value of 10 deviations in a monitoring cycle is added up, if accumulative more than given 100ms Standard deviation threshold values 500 can also judge that eTPU time countings have exception.
Seven, question and answer communication monitoring
As shown in Fig. 2, master chip and monitoring chip are communicated by SPI interface, realized in a manner of question and answer mutually Monitoring function, specific detection scheme is mainly to detect this two approach by instruction set test and program flow to realize.
1) monitoring chip and master chip are independent clock frequencies.
2) master chip and monitoring chip possess independent error counter.
3) it is directed to the answer of some problem, is respectively to be generated a part by instruction set test and program flow inspection and answered Then case is added and the two local answers are calculated final answer is sent to monitoring chip.
4) problem and answer correspond.
5) threshold values of the error counter of master chip and monitoring chip is all 7, when errors number reaches threshold values, shutdown electricity Sub- throttle actuation signal and oil spout drive signal, system reset.
Question and answer communication is periodically to run, period 80ms, and a problem corresponds to an answer.Its time mechanism is as schemed Shown in 3:
1) in monitoring chip, after it receives the answer of a upper problem, then a new monitoring period is to open Begin.
2) for the starting point in a clear monitoring period, in SPI, master chip can send 0X81 and give monitoring core every time Piece.
3) a monitoring period is 80ms, if in 80ms, monitoring chip does not receive answer, then it is assumed that it is a time out, Error counter increases, and the arrival of monitoring period starting point, recurrence of laying equal stress on next time is then waited for serve a problem to master chip.
Eight, instruction set is tested
Instruction set test purpose be by detect master chip for control strategy security monitoring function execution it is whether correct, To examine whether master chip is in the state of normal operation.By the algorithm abstraction of several strategic control modules at most directly as added The problem of subtracting instruction set as multiplication and division, being sent according to monitoring chip, preset test data set is given as input value Instruction set module is tested.One test period is 40ms, and the modules corresponding to instruction set test are required for being adjusted With primary.
For example, being according to the specific instruction that each monitoring module of policy control takes out:A*B, A/B, (A-B) * C, A+B>C、 A-B<C、AB:(C-1), the input parameter that wherein A, B, C are respectively each instructed.Specific instruction set test run flow is such as Shown in Fig. 4:
1) whether detection monitoring chip first has sent new problem, that is, corresponding state flag bit is checked, if Status Flag It to be 1, then represents function module and has received a new problem, into the 2) step;If state flag bit is 0, enter the 3) step.
2) by the state flag bit of new problem clear 0, and the information in acquisition problem about instruction set test, and by instruction set It tests corresponding module count device and is assigned a value of 1, this shows run first module.In addition also that modules are corresponding Answer is added the intermediate variable clear 0 obtained.
3) the corresponding module count device value superposition of instruction set, to run modules successively.When each module has been run Finish when calculating answer, these answer phase adductions are assigned to intermediate variable.Check whether the module of instruction set test has run Finish, if not having, continues to run with next module and calculate answer;If all modules have run through complete, enter the 4) step.
4) intermediate variable is assigned to the corresponding local answer variable of instruction set test, this variate-value is as final main core Piece is sent to a part for monitoring chip answer.
Nine, program flow detects
The purpose of program flow inspection is to control all and relevant program module of security monitoring for inspection policies, if Completion is executed in the defined time cycle and whether the execution order of these modules is correct, but can not detect tactful control Whether the logic of code processed is wrong.
The monitoring cycle of one program flow is 40ms, one former multinomial P (X) for being used for verifying of setting and generator polynomial G(X).The initial value of wherein P (X) is 0x99;Generator polynomial G (X) is an array, and G (X) array number is 16, setting Number be respectively 0x11,0x21,0x31,0x41,0xA2,0xB2,0XC2,0XD2,0x33,0x43,0x53,0 x63,0x24, 0x34,0x44,0x54 }, each of which value and the position in array are the corresponding values of corresponding strategy control module and are executed suitable Sequence.
Different according to the subscript of G (X) in policing algorithm, algorithm also can be different, as shown in Figure 5:
1) when being designated as even number under G (X), by taking G (X) [0] as an example, (X) the exclusive or G of P first (X) [0], result is assigned to P (X), it that is to say P (X)=P (X) ^G (X) [0];Then newer P (X) is added into G (X) [0], result is re-used as new P (X), it that is to say P (X)=P (X)+G (X) [0].G (X) processing method that even number is designated as under other is identical with this.
2) when being designated as odd number under G (X), by taking G (X) [1] as an example, P first (X) or G (X) [1], result is assigned to P (X), it that is to say P (X)=P (X) | G (X) [1];Then by newer P (X), (X) [1] exclusive or G, result are re-used as new P again (X), it that is to say P (X)=P (X) ^G (X) [1].G (X) processing method that odd number is designated as under other is identical with this.
Equally in needing monitored strategic control module, monitor each module successively, G (X) in policy module and G (X) in program flow monitoring function inside generator polynomial array is corresponded.In the module that odd number sequence executes, program Head executes P (X)=P (X) ^G (X), and program tail executes P (X)=P (X)+G (X);In the module that even number sequence executes, program header Executing P (X)=P (X) | G (X), program tail execute P (X)=P (X) ^G (X).All modules have executed in 40ms, tactful mould Finally the P (X) of generated P (X) values and monitoring function is compared block, if identical, then represents all monitored strategies Module executes completion in 40ms and execution order is correct, and otherwise error counter is cumulative, and error counter value threshold values is 7, when When reaching threshold values, system reset.
Ten, AD conversion detects
The purpose of AD conversion monitoring is mainly to detect following two mistakes that may occur:1) two-way pedal sensor AD turns It is inconsistent to change value;2) AD sampled values exceed zone of reasonableness.As shown in Figure 6:
1) AD conversion detection is run within the 10ms periods.
2) using an individual ADC channel for the signal acquisition of reference voltage, this channel and pedal sensor two-way The channel of redundant signals is mutual indepedent.
3) reference voltage is a fixed voltage being previously set, and is set as 5V.
4) value for obtaining reference voltage signal, judges whether in threshold values (4.5,5.25) range.
If 5) reference signal it is collected value within zone of reasonableness, be considered as device AD acquisition there is no problem, it is no Then error counter adds 1.The value minimum value of error counter is 0, and maximum threshold values is 7.
These components are intrinsic components on automobile, are increased without additional.Control algolithm is integrated in list by way of software In piece machine, it is convenient to realize, and does not increase extra cost.The present invention by Freescale MPC563X series monolithics be master chip, 8 chip MC9S08SG8 are realized as monitoring chip.
The algorithm of the present invention fully meets the requirement to be achieved of electronic throttle security monitoring institute, master chip and monitoring core The mutual monitoring mechanism of piece improves the security performance of automotive engine control, and system portability is high.
The present invention is exemplarily described above in conjunction with attached drawing, it is clear that the present invention implements not by aforesaid way Limitation, as long as using the various improvement of inventive concept and technical scheme of the present invention progress, or not improved direct application In other occasions, within protection scope of the present invention.

Claims (8)

1. a kind of software implementation method of electronic throttle chip secure monitoring, it is characterised in that include the following steps:
One, path testing is turned off when lower electricity
Turn off the detection of each driving cycle of the test in path once, the test for turning off path is happened in lower electric process, shutdown The test in path includes shutdown of the master chip to the shutdown, monitoring chip of oil spout and electronic throttle to oil spout and electronic throttle Two parts;Shutdown duration when turning off path testing is 35ms, if faulty during shutdown path testing, is resetted Maximum times are 7;
To the detection of entire RAM when two, powering on
The power up test of RAM Exactly-once in an operation circulation,
1) in a manner of liter address, 0x55 is written into even address RAM, 0xAA is written to odd address unit;
2) ram space of verification write-in, and 0xAA is written into even address in a manner of liter address, it is written into odd address 0x55;
3) ram space of verification write-in, 0x00 is written into ram space in a manner of liter address;
4) content in ram space is verified, 0xFF is written to ram space in a manner of dropping address;
5) content in ram space is verified, 0x00 is written to ram space in a manner of dropping address;
Three, RAM when system normal operation is periodically detected
1) data in ram space to be tested are read out, and stores and arrives an other panel region;
2) whether to 0x55 is written in RAM, it is 0x55 to read the content in RAM and verify;
3) whether to 0xAA is written in RAM, it is 0xAA to read the content in ram space and verify;
4) data are copied in the ram space that goes back again;
The code regions eTPU (SCM) is detected when four, powering on
The CHECKSUM of the binary code array generated after the compiling of eTPU bottoms is calculated first, and is previously stored in one In block FLASH, the CHECKSUM for copying code inside SCM to is then calculated again, the two is compared, is checked whether out It is wrong;
The data areas eTPU (SDM) is detected when five, powering on
1) in a manner of liter address, 0x55 is written into even address RAM, 0xAA is written to odd address unit;
2) ram space of verification write-in, and 0xAA is written into even address in a manner of liter address, it is written into odd address 0x55;
3) ram space of verification write-in, 0x00 is written into ram space in a manner of liter address;
4) content in ram space is verified, 0xFF is written to ram space in a manner of dropping address;
5) content in ram space is verified, 0x00 is written to ram space in a manner of dropping address;
Six, periodic eTPU time monitorings
1) monitoring cycle period is 100ms, calculates the TCR1 values of each characterization 10ms, the standard count value of CPU is converted into, by it Subtracted each other with the characterization count value of the 10ms of CPU, and so on until 100ms terminate, two data carry out subtracting each other generation 10 deviations, TPoor 1, TPoor 2, TPoor 3…TPoor 10
2) compare this 10 deviations, obtain maximum deviation and minimum deviation value;
3) setting MSD maximum standard deviation threshold values is 50, lowest standard deviation threshold values is -50,100ms accumulated standard deviation threshold values is 500;
If 4) the maximum deflection difference value calculated in monitoring cycle at one is more than given MSD maximum standard deviation threshold values 50, or Minimum deviation value is less than given lowest standard deviation threshold values -50, then may determine that eTPU time countings have exception;
5) absolute value of 10 deviations in a monitoring cycle is added up, if more than given 100ms accumulated standards Variance thresholds 500 can also judge that eTPU time countings have exception;
Seven, question and answer communication monitoring
1) monitoring chip and master chip are independent clock frequencies;
2) master chip and monitoring chip possess independent error counter;
3) it is directed to the answer of some problem, is to be checked respectively to generate a local answer by instruction set test and program flow, so It is added afterwards and the two local answers are calculated into final answer is sent to monitoring chip;
4) problem and answer correspond;
5) threshold values of the error counter of master chip and monitoring chip is all 7, when errors number reaches threshold values, turns off electronics section Valve actuation signal and oil spout drive signal, system reset;
Eight, periodic instruction set test
1) whether detection monitoring chip first has sent new problem, that is, corresponding state flag bit is checked, if state flag bit is 1, then it represents function module and has received a new problem, into the 2) step;If state flag bit is 0, enter the 3) step;
2) by the state flag bit of new problem clear 0, and the information in acquisition problem about instruction set test, and instruction set is tested Corresponding module count device is assigned a value of 1, this shows run first module, in addition also by the corresponding answer of modules It is added the intermediate variable clear 0 obtained;
3) the corresponding module count device value superposition of instruction set, to run modules successively;When the operation of each module finishes meter When calculating answer, these answer phase adductions are assigned to intermediate variable;It checks whether the module of instruction set test runs to finish, if No, then it continues to run with next module and calculates answer;If all modules have run through complete, enter the 4) step;
4) intermediate variable is assigned to the corresponding local answer variable of instruction set test, this variate-value is sent out as final master chip Give a part for monitoring chip answer;
Nine, periodic program flow detection
The monitoring cycle of program flow is 40ms, and former multinomial P (X) and generator polynomial G (X) that one is used for verifying is arranged, The initial value of middle P (X) is 0x99;Generator polynomial G (X) is an array, and G (X) array number is 16, and the number of setting is respectively {0x11,0x21,0x31,0x41,0xA2,0xB2,0XC2,0XD2,0x33,0x43,0x53,0x63,0x24,0x34,0x44, 0x54 }, each of which value and the position in array are the sequences of the corresponding value of corresponding strategy control module and execution;
Ten, periodic AD conversion detection
1) AD conversion detection is run within the 10ms periods;
2) using an individual ADC channel for the signal acquisition of reference voltage, this channel and pedal sensor two-way redundancy The channel of signal is mutual indepedent;
3) reference voltage is a fixed voltage being previously set, and is set as 5V;
4) value for obtaining reference voltage signal, judges whether in threshold values (4.5,5.25) range;
If 5), the collected value of reference signal is within zone of reasonableness, and being considered as the AD acquisitions of device, there is no problem, otherwise wrong Miscount device adds 1.
2. the software implementation method of electronic throttle chip secure monitoring according to claim 1, it is characterised in that described Turn off hardware requirement and the implementation in path:
1) shutdown path of the master chip to oil spout:The output of oil spout is controlled by controlling the output enable pin of MC33810, or Oil spout output is directly set to be 0 by software;
2) shutdown path of the master chip to electronic throttle:Electronic throttle is turned off by controlling the DIS pins of TLE8209 Driving, or electronic throttle gate drive signal is not exported directly by software;
3) shutdown path of the monitoring chip to oil spout:The output of oil spout is controlled by controlling the output enable pin of MC33810;
4) shutdown path of the monitoring chip to electronic throttle:Electronic throttle is turned off by controlling the ABE pins of TLE8209 Driving.
3. the software implementation method of electronic throttle chip secure monitoring according to claim 1 or 2, it is characterised in that institute It is 100ms to state the period that RAM is periodically detected, and is many small lists by RAM points in the periodical test of RAM is called Member, each cell size are 64Byte, execute the test of the RAM of one of junior unit every time, to close during the test Interruption is closed, to prevent change of other tasks to RAM medium contents during the test.
4. the software implementation method of electronic throttle chip secure monitoring according to claim 1, it is characterised in that described ETPU and CPU is independent compiling platform, and when system operation, eTPU is stored in compiled binary system array form In RAM.
5. the software implementation method of electronic throttle chip secure monitoring according to claim 1, it is characterised in that Time in eTPU is characterized by time counting register (TCR1).
6. the software implementation method of electronic throttle chip secure monitoring according to claim 1, it is characterised in that described Question and answer communication is periodically to run, period 80ms.
7. the software implementation method of electronic throttle chip secure monitoring according to claim 1, it is characterised in that described The test period of instruction set test is 40ms, and the modules corresponding to instruction set test are required for being called once.
8. the software implementation method of electronic throttle chip secure monitoring according to claim 1, it is characterised in that described The value minimum value of the error counter of step 5) in periodic AD conversion detection is 0, and maximum threshold values is 7.
CN201610024392.4A 2016-01-13 2016-01-13 A kind of software implementation method of electronic throttle chip secure monitoring Active CN105760253B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610024392.4A CN105760253B (en) 2016-01-13 2016-01-13 A kind of software implementation method of electronic throttle chip secure monitoring

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610024392.4A CN105760253B (en) 2016-01-13 2016-01-13 A kind of software implementation method of electronic throttle chip secure monitoring

Publications (2)

Publication Number Publication Date
CN105760253A CN105760253A (en) 2016-07-13
CN105760253B true CN105760253B (en) 2018-08-10

Family

ID=56342374

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610024392.4A Active CN105760253B (en) 2016-01-13 2016-01-13 A kind of software implementation method of electronic throttle chip secure monitoring

Country Status (1)

Country Link
CN (1) CN105760253B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107256012B (en) * 2017-05-02 2020-01-21 北京欧鹏巴赫新能源科技股份有限公司 Method for realizing multi-task monitoring by using CIC61508 dog feeding mechanism
CN109271288B (en) * 2017-07-17 2021-09-21 展讯通信(上海)有限公司 Method for evaluating performance of processor before silicon
CN108153285B (en) * 2017-12-28 2020-12-15 上汽通用五菱汽车股份有限公司 Automobile safety monitoring method, device, storage medium and system
TWI688861B (en) * 2018-09-18 2020-03-21 新唐科技股份有限公司 Data processing apparatus and data protection method thereof
CN113296430B (en) * 2021-04-13 2022-10-18 东风汽车集团股份有限公司 Method and system for monitoring logical operation data flow fault of master-slave chip processing unit
CN113608951B (en) * 2021-07-27 2023-10-03 际络科技(上海)有限公司 Chip state detection method and system, electronic device and readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH06175990A (en) * 1992-12-08 1994-06-24 Fujitsu Ltd Interprocessor communication testing method
CN101533376A (en) * 2008-03-12 2009-09-16 通用汽车环球科技运作公司 Securing safety-critical variables
CN201587405U (en) * 2010-01-12 2010-09-22 同济大学 Entire vehicle controller based on MPC 555 in hybrid urban motor bus
CN202402149U (en) * 2011-12-16 2012-08-29 中国第一汽车股份有限公司 ECU safety monitoring module of natural gas engine

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH06175990A (en) * 1992-12-08 1994-06-24 Fujitsu Ltd Interprocessor communication testing method
CN101533376A (en) * 2008-03-12 2009-09-16 通用汽车环球科技运作公司 Securing safety-critical variables
CN201587405U (en) * 2010-01-12 2010-09-22 同济大学 Entire vehicle controller based on MPC 555 in hybrid urban motor bus
CN202402149U (en) * 2011-12-16 2012-08-29 中国第一汽车股份有限公司 ECU safety monitoring module of natural gas engine

Also Published As

Publication number Publication date
CN105760253A (en) 2016-07-13

Similar Documents

Publication Publication Date Title
CN105760253B (en) A kind of software implementation method of electronic throttle chip secure monitoring
CN103728968B (en) CAN network and ECU Function Test Automation system
CN106647701B (en) A kind of aero-engine control unit BIT test method
CN104731080B (en) A kind of hardware-in-loop simulation environmental model automatic creation system and method
CN109324601A (en) The test platform of robot controller or control system based on hardware in loop
CN104503771B (en) A kind of train network control system integrating and developing platform
CN103543640A (en) Test system for battery management system
CN104598373B (en) A kind of embedded software test method of multi-technical fusion
CN105867360A (en) Initial value prediction iterative learning fault diagnosis algorithm of electromechanical control system
CN106124914A (en) Open-circuit fault of power tubes of inverter real-time detection method in motor driven systems
Svenningsson et al. Model-implemented fault injection for hardware fault simulation
CN104572108B (en) A kind of train network control system software development methodology
CN107463516A (en) Control device
Fey et al. A basis for formal robustness checking
Sini et al. An automatic approach to perform FMEDA safety assessment on hardware designs
WO2020169997A1 (en) Method for improving safety of a component or system running a firmware or a finite state machine
CN106149284B (en) A kind of washing machine fault detection processing method
Fang et al. Diagnosis of board-level functional failures under uncertainty using Dempster–Shafer theory
Correcher et al. Intermittent failure diagnosis in industrial processes
CN112035996A (en) Equipment testability integrated design and evaluation system
US8560987B2 (en) Test functionality integrity verification for integrated circuit design
CN103165405A (en) Mutli-dimensional variable code real-time generation method through general purpose interface bus (GPIB) interface
Grießnig et al. Design and implementation of safety functions on a novel CPLD-based fail-safe system architecture
Vargas et al. Optimizing HW/SW codesign towards reliability for critical-application systems
Kornaszewski Programmable logic controllers for systems of automatic of the level crossing

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant