1. Field of the Invention
The present invention relates to an apparatus and a method for diagnosing failures in a control system and in particular to an apparatus and method for diagnosing failures arising in a plurality of control units provided in the control system.
2. Description of Related Art
Conventional methods for diagnosing failures generated in a control system are disclosed in Japanese Laid-Open Patent publication No. 61-107,436 and the like. In conventional methods, the control system is provided with a self-diagnostic function. When the self-diagnostic function diagnoses a failure in the control system, the system stops processing an output so as to prevent the control system from erroneous operation owing to the failure.
There is known another conventional method for diagnosing failures in a control system in which failures are diagnosed during the operation of the control system. This conventional method employs a so-called watchdog which monitors a processing time and then diagnoses a failure when the processing time is outside a predetermined range. The watchdog is either an internal watchdog for monitoring the processing time with software or an external watchdog for monitoring the processing time with software and hardware.
A motor vehicle is provided with important control systems such as a four wheel steering control system (4WS) and an anti-skid braking control system (ABS). Each important control system is provided with a plurality of control units, each of which can carry out a control operation even if another control unit brakes down, so that good reliability can be maintained.
The above-mentioned watchdog method can be applied to a control system including a plurality of control units. Watchdogs are provided in the respective control units in the control system. The watchdogs monitor each other's processing times and then diagnose failures. However, according to the conventional methods, with such watchdog functions, failures in a control system can not be diagnosed when the following failures occur simultaneously:
a failure in which all of the control units break down owing to power supply fluctuation or presence of strong field noise; PA1 a failure which can not be diagnosed by a watchdog, such as a failure which arises when a process with a failure which is to be detected is carried out in the watchdog timer; and PA1 a failure which can not be mutually monitored by the watchdogs, such as a failure that passes through the mutual monitoring program.
Although the above-mentioned failures occur very infrequently, such failures need to be monitored and diagnosed in a control system requiring high reliability.
Further, a watchdog can not diagnose a failure in the control system until the processing time, for example one cycle of the control operation, has passed, since the watchdog monitors the processing time in every control cycle of the control operation.
Since the above-mentioned conventional method using the watchdog only compares the values of timers, its applications are limited to specific fields.