Microprocessors are now used in a wide variety of safety-critical systems, for example antilock braking systems (ABS) and electro pneumatic braking systems (EPB) enable an electronic controller to override, or directly control, the ability of a driver to stop his vehicle. In the case of ABS, the controller has the capability to remove brake pressure from all of the brakes irrespective of any actions taken by the driver. Microprocessors at the heart of the controller thus need to be relied upon to operate predictably.
Manufacturers of microprocessors specify that these devices will function correctly if the supply voltage to the processor is within the range specified for that processor (often about 4 V to 7 V). If a voltage which is lower than that specified, is supplied to the processor then its behaviour cannot reliably be predicted. Once the processor starts behaving as such, even increasing the supply voltage to the specified value will not necessarily cause the processor to function correctly. For this reason, microprocessors are provided with a "reset" pin. When this pin is held at a specified voltage (normally below 1 V) the microprocessor will be inactive, with all its outputs in a specified state for all supply voltages below a level which would cause permanent damage to the processor. The supply voltage cannot rise instantly from zero to the specified operating voltage, so the reset pin must be held low when the power is applied to the processor and then raised higher once the specified voltage is attained, so that the processor can commence operating in a predictable manner.
In the case of both ABS and EPB controllers, it is known for each to use two microprocessors to ensure that the system will function safely if one of the processors fails. Dual computer cross-checking is employed, as described in our co-pending European Application No. 88311720, wherein one of the processors is a relatively expensive device, and performs all the main functions of the system, whereas the other processor, which is a much smaller, simpler and cheaper chip is used to monitor the actions of the main processor and to shut down the controller if the main processor appears to be malfunctioning.
The known controller employs a serially connected hardware reset for both microprocessors to monitor under or over-voltage conditions on the supply. If the supply is within the limits, the first reset period times out, followed by the second. Any out-of-limit excursions will cause the reset cycle to be repeated. A disadvantage of this system is that the time of each reset period cannot be accurately measured.
When power is applied to the controller it then becomes necessary to bring the processors out of the "reset" condition in a controlled manner. The voltage supplied to the microprocessors is controlled by a voltage regulator circuit within the controller, and this circuit draws power from the vehicle battery. If the voltage supplied to the controller drops due for example to engine cranking or a faulty connection, the voltage regulator may not be able to maintain the correct voltage on the microprocessors. A partial drop in supply voltage is potentially a hazardous condition, as there may be sufficient voltage for the processor to operate the solenoids which control the vehicle braking, while the processor is in an unpredictable mode of operation, as previously described.
If the supply voltage drops during the specified reset period, then the duration of this period must be extended. If the supply voltage drops after this, the processors must be put back into reset. The reset circuit includes a low voltage detection element which monitors the supply voltage and provides a signal in the form of voltage change on an output pin when the voltage drops below a specified level, e.g. 4.6 V. The smaller of the two processors is specified to operate between 3.5 V and 7.0 V, and the larger processor, better than 4.6 V to 7.0 V.
A circuit provided in the controllers performs the function of bringing the processors out of the reset condition, and back into the reset condition when the power supply is low, the respective circuits in the ABS and EPB controllers being made up of a combination of discrete components for each processor.
To ensure the safe operation of the controller under all circumstances, it is not sufficient just to provide a reset circuit which operates as described above.
As mentioned before, the microprocessors need to be relied upon to ensure safe braking at all times. Two microprocessors are used so that if one processor or one reset circuit develops a fault and the processor misbehaves, the second processor will detect this, disable the ABS system and also warn the driver that the ABS system must be serviced immediately. The possibility of a second fault developing before the ABS controller has been replaced, however, is acceptably small.
If a reset circuit of the type described is used, but never tested, it is possible for a fault to develop within the circuit serving one processor, and remain undetected. This may, for example, be a timing fault which does not cause the processor to fail, because under some conditions (of supply voltage and temperature perhaps) the processor can tolerate reset durations shorter than specified, or, it may be a low voltage sensing fault which is not detected because a low voltage condition does not occur. The fault, for whatever reason, will not be detected and persist for the life of the controller. The possibility of a second fault developing, which affects the other processor, and thus renders the system dangerous, within the life of the controller, is unacceptably high.