1. Field of the Invention
This invention relates to monitoring system for electronic control unit containing microcomputers.
2. Description of the Prior Art
Conventionally, for example, monitoring system for electronic control unit for vehicles as shown in FIGS. 1 and 2 has been known (see Japanese Patent Application Laid-Open Nos. 54-56740 and 4-291634 in which the same types of inventions are proposed).
FIG. 1 shows a configuration of a conventional monitoring system for electronic control unit and FIG. 2 shows a time chart of respective signals at the time when that system is operative.
A microcomputer (hereinafter referred to as CPU) 101 outputs a program run signal (hereinafter referred to as PRUN signal) having a predetermined cycle to a watch dog timer (hereinafter referred to as WDT) 2. The WDT 2 monitors that the PRUN signal is being output properly, that is, that duty ratio, frequency, pulse width and the like are proper, that is, that continuity of the PRUN signal is maintained. Referring to FIG. 2, signal A indicates an output signal of a power ON reset generation circuit 6 for initializing the CPU 101. During an operation of the system, the signal A is usually at high (H) level.
If the CPU 101 runs away, the PRUN signal changes relative to a state in which the duty ratio, frequency and the like are proper. Thus, the WDT 2 detects an abnormality in PRUN signal and outputs a PRUN abnormality signal (indicated by the signal C in FIG. 2) to a reset generation circuit 3. If the reset generation circuit 3 receives a PRUN abnormality signal from the WDT 2, it generates reset pulses having a predetermined cycle as shown by the signal D in FIG. 2. This reset pulse is input into a fail determining circuit 104 and at the same time, also input to the CPU 101 through an AND gate 7. Because the signal to the other terminal of the AND gate 7 is always at high level as described above, if reset pulse is output from the reset generation circuit 3, the CPU 101 is initialized. If the CPU 101 is initialized, the program restarts so that a normal state is gained.
If the CPU 101 is not restored to normal state even if the reset pulse is input thereto, because ot not runaway of the program but a fault of the CPU 101 itself, fail safe state must be gained to hold the system at safety side. Thus, unless the CPU 101 is restored to normal state even if reset pulse is output for example by more than three times, as shown in FIG. 2, the fail determining circuit 104 outputs a fail detecting signal to a fail safe unit 5 thereby making the system in fail safe state.
If the WDT 2 is in such a trouble that it does not output the PRUN abnormality signal, that is, if the CPU 101 stops outputting the PRUN signal but the WDT 2 does not output a PRUN abnormality signal corresponding to that stop, no reset pulse is generated from the reset generation circuit 3. Thus, the CPU 101 is in a state in which the program is running away. To avoid this state, the CPU 101 has a function for diagnosing the WDT 2 and the reset generation circuit 3. That is, the CPU 101 intentionally stops output of PRUN signal to the WDT 2 and finally it resets itself, thereby diagnosing whether the WDT 2 and the reset generation circuit 3 properly generate PRUN abnormality signal and reset pulse respectively.
Here, whether resetting of the CPU 101 occurs depending on such a diagnosis or due to an ordinary fault is determined by the CPU 101 after the resetting. Thus, the following method is applied for the CPU 101 after resetting to determine whether the resetting of the CPU 101 depends on such a diagnosis or an ordinary fault. That is, the CPU 101 writes data predetermined in particular address of a connected memory 21, for example, a flag indicating under diagnosis at the time of diagnosis and then stops output of the PRUN signal. Then, when activated again by the reset pulse, the CPU 101 reads a content of the particular address to identify whether that resetting occurred depending on a diagnosis or other reasons.
However, in the aforementioned conventional monitoring system, when a signal indicating that the CPU 101 itself is in trouble, that is, a fail detecting signal is output from the fail determining circuit 104, the fail safe unit 5 is activated. Therefore, if there occurs such a trouble that the fail determining circuit 104 outputs no fail detection signal although the CPU 101 itself is in trouble, that is, the fail determining circuit 104 itself is in trouble, the fail safe unit 5 cannot be activated, which is a problem of conventional art. On the other hand, as described above, diagnosis of the conventional monitoring system is limited to the WDT 2 and the reset generation circuit 3. There is no means for diagnosing a trouble in the fail determining circuit 104.