This application is based on and incorporates herein by reference Japanese Patent Applications No. 2001-295627, 2001-366974 and 2002-21060 filed on Sep. 27, 2001, Nov. 30, 2001 and Jan. 30, 2002, respectively.
The present invention relates an electronic control unit (ECU) for vehicle and particularly to a process to be executed when a fault occurs in a CPU of the ECU.
In recent years, with development in function and capacity of memories (ROM and RAM), it can be thought to realize engine control (injection and ignition control) and throttle control, which have been performed with a couple of CPUs in the prior art, with only one CPU for reduction in cost of engine ECU. In the engine ECU formed of only one CPU, a fault in the CPU can be detected with a watchdog (WD) circuit like the prior art. However, when the defective condition of a CPU is recovered to the normal condition, it is impossible to determine what kind of fault has occurred in the past. There arises a disadvantage that a fail-safe process, which shall be executed is no longer executed. Namely, after a fault is generated once in the CPU, the possibility of re-generation of similar fault is considerably high. Therefore, it is desirable to continue the fail-safe process after the CPU is re-started.
In the other engine ECU, two CPUs are provided as a main-CPU and a sub-CPU. The former operates to execute injection control and ignition control, while the latter operates to execute electronic throttle control. A WD circuit is provided to monitor operations of the main-CPU. This circuit receives as an input a watchdog pulse (WD pulse) and resets the main-CPU when the periodicity of the WD pulse is disrupted.
Moreover, the main-CPU also monitors operations of the sub-CPU (namely, throttle control condition). The main-CPU receives as an input the WD pulse outputted from the sub-CPU and also resets the sub-CPU when the periodicity of the WD pulse is disrupted. When the sub-CPU is reset, the main-CPU executes the predetermined fail-safe process.
In short, the main-CPU is reset by the WD circuit and the sub-CPU is reset by the main-CPU. Moreover, when the WD circuit resets the main-CPU, the main-CPU subsequently resets the sub-CPU. However, the main-CPU normally recovers after it is reset by the WD circuit, the normal control is executed without relation to reset (namely, generation of a fault) in the past. Therefore, when it is requested to continue the predetermined fail-safe process even after recovery from the reset, there arises a disadvantage that the fail-safe process to be executed is not executed.
When it is assumed that a control CPU is operated uncontrollably in the electronic control unit including two CPUs for control and monitor, there arises a problem that a communication fault and an output fault of the WD pulse are simultaneously generated in the main-CPU and these fault information pieces cannot be stored and held. More practically, if a communication fault is detected in advance, the control CPU is reset in this time point by the monitor CPU and output fault of WD pulse cannot be stored. Accordingly, in some cases, if the CPU is operated uncontrollably, such condition may be recognized only as a communication fault.
It is therefore an object of the present invention to execute a fail-safe process after a fault occurs in a CPU and to appropriately identify the content of fault.
According to the first aspect of the present invention, a CPU executes engine control, electronic throttle control and a predetermined fail-safe process. A monitor circuit receives, from the CPU, as an input a watchdog (WD) pulse in the predetermined period and outputs a reset signal to the CPU when the periodicity is disrupted. When the reset signal is outputted from the monitor circuit, the CPU is reset and reset information which indicates a record of the reset signal is then stored in a storage. After the CPU is reset, the CPU is re-started after the predetermined period has passed. When the CPU is re-started, it executes the predetermined fail-safe process based on the reset information stored in the storage.
According to the second aspect of the present invention, there are provided a main-CPU, a sub-CPU and a monitor circuit for monitoring operations of the main-CPU which are mutually connected for the purpose of communication. The monitor circuit receives as an input, from the main-CPU, a watchdog (WD) pulse which is generated in the predetermined period. The sub-CPU monitors the WD pulse which is outputted to the monitor circuit from the main-CPU. If the periodicity thereof is disrupted, a reset record of the main-CPU is stored in the memory at least until the reset signal is outputted from the monitor circuit.
Owing to this structure, it can surely be determined in the sub-CPU that the main-CPU is reset, namely a fault is generated in the main-CPU. Moreover, in this structure, when the main-CPU is reset, the sub-CPU is also subsequently reset. However, since the sub-CPU stores a reset record simultaneously with or preceding the reset of the main-CPU from the monitor circuit, a reset record can surely be stored and held. Otherwise, the reset signal which is outputted to the main-CPU from the monitor circuit can be monitored. A reset record may be stored in the memory when this reset signal is outputted.
According to a third aspect of the present invention, a monitor CPU monitors communication with a control CPU and stores a fault condition, if a fault occurs in the communication. The monitor CPU also resets the control CPU. Moreover, the monitor CPU also monitors a watchdog (WD) pulse outputted from the control CPU and detects a fault from the periodicity thereof and stores the situation when a fault occurs in the WD pulse. In this case, when a fault detection time for the communication condition is defined as X and a fault detection time for the WD pulse as Y, the fault detection times X and Y are specified to satisfy the relationship of X is equal to or larger than Y.
According to the above structure, if the control CPU generates a fault (uncontrolled operating condition) and both communication and output of WD pulse stop, occurrence of a fault in the WD pulse is previously generated when a fault detection time Y has passed and it is then stored. Thereafter, when a fault detection time X has passed, occurrence of a fault in the communication is detected and it is then stored to reset the control CPU. Namely, a WD pulse fault and a communication fault are surely stored respectively and content of fault can be correctly identified.
When the CPU is operated uncontrollably, it is desirable that a WD pulse fault be more quickly detected with priority than a communication fault. The control CPU may be reset without any condition when a communication fault is detected but a reset output is restricted as required. Therefore, for example, if the control CPU is operated uncontrollably and both communication and WD pulse output are stopped, a reset output when a communication fault is detected is restricted and thereby a WD pulse fault and a communication fault are surely stored.