Functional safety is a key issue for automotive devices, in particular automotive devices used in vehicles. With increasing technological complexity, software contents and mechatronic implementation there is an increasing risk from systematic failures and random hardware failures. Electronic Control Units (ECU) are provided within a vehicle to perform all kind of different functions. These Electronic Control Units comprise microcontroller units (MCU) or microprocessors to control devices for performing these different functions. There is a risk that a microcontroller unit of the ECU has a malfunction. In conventional ECUs external control units, so-called external watchdogs (WD), have been used to increase functional safety with respect to a specific function provided by the microcontroller of the ECU and its peripheral components. For example, in a conventional system there can be provided an external watchdog unit monitoring clock frequencies. Single microprocessor fail-safe systems are able to detect critical failures and to bring the system into a safe state.
JP-A-2004-265322 discloses a failure monitoring apparatus with a watchdog for microcomputers, which is capable of monitoring a faulty operation of the MCU. The WD monitors any anomaly in the MCU and further counts the number of times of occurrence of anomalous operations of the MCU. As long as the number of times of occurrence of the anomalous operation is smaller than a reference number of times, the WD generates a pulsed reset signal and tries to restore the MCU to normal state. If the number of times of occurrence of anomalous operation exceeds the reference number of times, the WD generates a reset hold signal and stops the control by the MCU.
However, if the controlled object of the microcomputer is an electric motor, it is stopped immediately when an anomalous operation occurs in the microcomputer. In case of steering assistance in an electric power steering apparatus this leads to sudden loss of assistance. This is very unpleasant for the driver, because the steering response is unusual which makes the vehicle difficult to steer.
Conventional solutions for fail-safe steering assistance systems are thus fully redundant systems with two or more microprocessors, which are expensive.
US 2015/01178144 A1 discloses a watchdog that detects an anomalous operation of the MCU, a failsafe control device that executes a failsafe control operation, a first reset device that outputs a reset signal for resetting the MCU for a predetermined time, a counting device that counts a number of times of occurrence of the anomalous operation and a second reset device that outputs the reset signal and holds an output of the reset signal when the number of times of occurrence reaches a predetermined number of times. When anomalous operation occurs in the MCU, the operation is restored to normal state by a reset signal, failsafe control is carried out as control by the MCU. In the failsafe control, the controlled object is controlled to the safety side, so that even when an anomaly occurs in normal control any anomaly may not occur in failsafe control. Therefore, it is possible to enhance the possibility that control by the MCU will be continued as much as possible with safety taken into account.
A disadvantage is, that the state variables are lost during reset.
Thus a need exists an electric power steering apparatus with a failsafe MCU, which continues electronic control in a safe and user-friendly way, even if a failure occurs in the operation of the MCU.