1. Field of the Invention
The present invention relates to a communication control system comprising a plurality of control units and to a failure supervising method. It particularly relates to a communication control system which has a function to detect a failure and perform a fail-safe when the failure occurred in at least one of said control units, and relates to a failure supervising method for realizing the fail-safe function.
2. Prior Art
When a failure occurred in at least one of the control units within a conventional communication control system comprising a plurality of control units, the faulty control unit performs a systematic fail-safe by turning on a warning lamp of itself in order to inform a user of the failure or by cutting off the control signal transmission to an actuator or by shutting off the power supply to an actuator control unit. As regards a communication signal failure, a specific important control signal is combined with a hardware signal to form a redundancy system, and the resulting signal combination is compared against a communication signal to assure reliability.
A method for supervising on an inter-CPU level in control unit is disclosed by Japanese Patent Laid-open No. 11-190251, etc. A method for realizing a fail-safe mechanism of backup IC is disclosed by Japanese Patent Laid-open No. 8-147001, etc. A method for supervising a microcomputer (CPU) failure by a peripheral IC is disclosed by Japanese Patent Laid-open No. 2001-312325.
As a communication control system comes into more widespread use in all industrial fields, it is more frequently used as a distributed control system. In an automobile, for instance, which is equipped with conventional communication control system comprising a plurality of control units, a warning lamp is mounted on a meter panel in order to inform a driver of a failure when the failure occurred in at least one of control units. And the turning on the warning lamp is performed by the control unit in which the failure exists.
However, when the idea of distributed control is adopted, a meter unit is incorporated into a communication system so that the faulty unit transmits a failure signal to the meter unit. The meter unit detects the failure signal and turns on a warning lamp. Further, in an ACC (Adaptive Cruise Control) system, an ACC control unit does not directly drive a throttle actuator or brake actuator for vehicle travel control, but transmits a torque command value and brake liquid pressure command value to an engine control unit and brake control unit respectively via a communication bus. Thereby, the respective control units drive a throttle and brake in accordance with received data.
A problem here is that data communications exchanged between component units of the communication control system are transmitted/received via a microcomputer within a respective control unit. To put it concretely, if a failure occurs in the microcomputer or peripheral, a failure in one control unit cannot accurately be transmitted to another control unit at all times. As a result, the system may continue with its operation while a control failure is allowed to exist.