This invention relates to a microprocessor runaway monitoring control circuit for, in an electronic control unit with a built-in microprocessor (CPU) used for example for control of an engine in an automotive vehicle, improving safety by performing diagnosis on a watchdog timer circuit for monitoring runaway of the microprocessor.
Generally a runaway monitoring circuit for monitoring runaway of a microprocessor is provided on the same circuit board as the microprocessor and in the proximity of the microprocessor, and one runaway monitoring circuit is connected to each microprocessor. However, as shown in Japanese Patent Laid-Open No. H.5-81222, “2-CPU Operation Monitoring Method” (Related Art 1), sometimes one runaway monitoring circuit (watchdog timer) is provided with respect to two micro processors.
Although if a microprocessor is normal a runaway monitoring circuit monitoring it will never operate, if the microprocessor does ever become abnormal and the runaway monitoring circuit fails to operate then, there may be serious danger. Thus the reliability of a runaway monitoring circuit is extremely important, and not only are strict tests carried out in product pre-shipping inspections as a matter of course, but preferably self-diagnosis is carried out while the microprocessor and the runaway monitoring circuit are actually operating as well.
A runaway monitoring control circuit with this kind of self-diagnostic capability in related art is disclosed for example in Japanese Patent Laid-Open No. 2000-104622, “Electronic Control Unit” (Related Art 2). In this Related Art 2, the reset signal output of a watchdog timer, which is normally connected to the reset terminal of the microprocessor being monitored, is switched to an input terminal for diagnostic monitoring use; the microprocessor intentionally alters the period of a watchdog clearing signal which it supplies to the watchdog timer; and the microprocessor itself diagnoses whether or not the watchdog timer operates.
And in Japanese Patent Laid-Open No. H.6-149604, “Multiplexed System” (Related Art 3), duplex control is carried out by a pair of microprocessors to each of which is connected a watchdog timer, and when the operation of one of the watchdog timers is to be diagnosed, a switch is made to uniplex control based on control outputs only of the microprocessor whose watchdog timer is not being diagnosed, so that even if the microprocessor whose watchdog timer is being diagnosed stops, control can be continued.
(1) The Explanation of the Problem in the Prior Art
However, there are certain problems associated with the related art described above, and in circuits such as that of Related Art 1, where a watchdog timer for runaway monitoring is just connected to a microprocessor, there are the following kinds of safety issue.
The states of operation of a watchdog timer can be categorized as follows: normal non-operation, wherein the watchdog timer does not operate because the microprocessor is operating normally; normal operation, wherein the watchdog timer resets the microprocessor because the microprocessor is abnormal; active failure, wherein the watchdog timer tries to reset the microprocessor notwithstanding that the microprocessor is operating normally; and passive failure, wherein the watchdog timer fails to reset the microprocessor notwithstanding that the microprocessor is abnormal. Among these, the problematic aspects are the danger (loss of runaway monitoring function) associated with passive failure of the watchdog timer, and unintentional resetting of the microprocessor caused by active failure.
With respect to this, even with the runaway monitoring control circuit of Related Art 2, there are the shortcomings that if there is an abnormality in a switching circuit which switches the output signal for resetting the microprocessor, there is a danger that it will become impossible for the microprocessor to be reset, and that if the microprocessor runs away while diagnosing the watchdog timer, again the microprocessor will not be reset.
And in the case of Related Art 3, which is based on a completely duplex system, although its safety is high, there is the shortcoming that self-diagnostic reliability measures become necessary for additional circuits such as comparator circuits and switching circuits for the output signals of the pair of microprocessors.