1. Field of the Invention
This invention relates to a fail-safe mechanism for stopping electrical systems, e.g. a rear-wheel steering gear, mounted in a vehicle to counter a failure occurring in the electrical system.
2. Description of Related Art
Regarding the control of driving motors of rear-wheel steering gears and hydraulic type control valves, a system is typically stopped upon occurrence of a failure. However, for safety of the vehicle, the system must sometimes not be recovered during the vehicle""s travel. In this event, CPU is provided with a self-diagnostic circuit to check whether or not the above control program operates normally. When the self-diagnostic circuit detects an abnormal condition in the control program, the CPU outputs a failure signal to turn off a switch provided between a driver circuit and a driving power source. The switch is designed to remain connected whenever it does not receive the failure signal from the CPU, and to disconnect upon receiving the failure signal.
A plural of CPUs are provided for determining whether or not CPU normally controls the driving of the motor of rear-wheel steering gears or the hydraulic type control valves if operation of a CPU differs from that of other CPUS, the differently operating CPU is determined to be abnormal and is stopped from controlling.
As explained above, in the event that the self-diagnostic circuit detects an error and the switch between the driving power source and the driver circuit is turned off, if the failure signal is not outputted by any reason, the switch turns on to re-feed electric power to the drive circuit. Alternatively, although the control program is corrupted, the failure signals are interrupted, and signals may be outputted as if the control program operates normally.
If such events are repeated, the control is alternately valid and invalid during travelling. This may result in unstable conditions of the running vehicle. Moreover, repeating of ON and OFF of the driving signal may cause the failures of the control mechanism or systems to be controlled.
On the other hand, if stopping the CPU due to the detection of abnormality leads to stopping the rear-wheel steering gears or the like, a variety of difficulties may often be produced.
It is an object of the present invention to provide a fail-safe mechanism that cuts off the electric-power supplies to a driver circuit to reliably stop a system when detecting a failure in the system, and not allowing the electric power to be supplied to the driver circuit unless a driving power source is restarted.
It is another object of the present invention to provide a fail-safe mechanism that detects an abnormality of a control system by its own CPU rather than other CPUs, and allows a standby control system to automatically continues the control for apparatus after the control system is stopped due to the abnormality.
A feature in accordance with a first aspect of the present invention, a fail-safe mechanism includes: a driver circuit for controlling driving of an electrical system of a vehicle; a controller controlling the driver circuit in accordance with a control program; a driving power source feeding electric current to the driver circuit; a main switch circuit connected between the driving power source and the driver circuit; a sub switch circuit connected between the driving power source and the main switch circuit to control the ON/OFF switching of power source applied from the driving power source to the main switch circuit, and maintaining an OFF state in normal times; a timer circuit allowing the sub switch circuit to be fed with electric current for a predetermined time period after the driving power source is turned on; a failure detector circuit connected between the main switch circuit and the controller; and a sub switch control means provided in shunt with the driver circuit downstream from the main switch circuit, and bringing the sub switch circuit to an ON state due to the feeding of electric current to the driver circuit, and the sub switch circuit to an OFF state when the feeding of electric current to the driver circuit is cut off. The fail-safe mechanism is further characterized in that when the failure detector circuit detects an abnormal condition of the controller, the main switch circuit is turned OFF to interrupt the electric current passing from the driving power source to the driver circuit.
Predicated on the first aspect, a feature in accordance with a second aspect of the present invention is that the sub switch circuit includes a first switch and a second switch connected in parallel, the first switch being controlled by the timer circuit, the second switch controlled by the sub switch control means.
Predicated on the above aspect, a feature in accordance with a third aspect of the present invention is that the fail detector circuit includes a plurality of watchdog timers and an AND circuit, each of the watchdog timers receiving a failure detection signal outputting from each control program, the AND circuit receiving an output signal from the each watchdog timer and sending the output signal to the main switch circuit.
According to the first to third aspects, when the abnormal condition occurs in the system driving-controlled by the CPU, the feeding of the driving power source to the driver circuit is stopped to stop the system, and moreover the electric current is not fed to the driver circuit unless the driving power source is restarted. Accordingly, it is reliably prevented that, for example, the system recovers during the vehicle""s travel.
According to the third aspect, particularly, the abnormalities of a plurality of control programs are individually detected, and if only one abnormality of them is detected, the system can be stopped, resulting in further reliable prevention of malfunctions of the system.
A feature in accordance with a fourth aspect of the present invention is that a fail-safe mechanism includes first and second control systems controlling driving of an electrical system of a vehicle, and each of the first and second control system includes: a driver circuit connected with the electrical system of the vehicle; a CPU controlling the driver circuit; a driving power source feeding electric current to the driver circuit; a switch circuit connected between the driving power source and the driver circuit; and a CPU failure-detecting feature connected between the switch circuit and the driver circuit, and detecting an abnormal condition of the CPU from an output signal sent from the CPU, wherein when the CPU of one of the first and second control systems outputs a failure signal during the operation of the one control system, the CPU failure-detecting feature of the one control system outputs an instruction for turning off to the switch circuit of the one control system, and the one control system sends a signal, representing the stopping of the feeding of electric current to the driver circuit, to the CPU of the other control system to allow the other control receiving the signal to start the driving-control.
According to the fourth aspect, the two control systems are provided. When one control system is stopped, the other control system operates to continue the control operation. In addition, it is possible to detect the abnormality occurring in the one control system without using the CPU of the other control system.
When the abnormal condition occurs, the feeding of the driving power source to the driver circuit is stopped to stop the system, and moreover the electric current is not fed to the driver circuit unless the driving power source is re-turned on. Accordingly, it is reliably prevented that, for example, the system recovers during travelling of the vehicle.
In addition, it unnecessary to employ a conventional logic based on majority rule using more than three CPU, resulting in the simple and low cost system configuration.
Predicated on the fourth aspect, a feature in accordance with a fifth aspect of the present invention is that the CPU failure-detecting feature includes a plurality of watchdog timers and an AND circuit, each of the watchdog timers receiving a failure detection signal outputting from each control program in the CPU, the AND circuit receiving an output signal from the each watchdog timer and sending the output signal to the switch circuit.
According to the fifth aspect, the abnormalities of a plurality of control programs are individually detected, and if only one abnormality of them is detected, the system can be stopped, resulting in further reliable prevention of malfunctions of the system.