1. Field of the Invention
The present invention generally relates to a series of processing carried out when there is an error, for example, an operation error, in any of a plurality of CPUs or a plurality of controllers included in a hardware configuration. In one concrete application, the present invention pertains to a control technique applied for a moving object with a prime mover or more specifically to a technique of monitoring abnormality in a plurality of CPUs. In another concrete application, the present invention pertains to a technique of detecting an error in a control system including at least two controllers. The technique detects a processing error in any of the at least two controllers included in the control system. The control system has an arithmetic logic unit that functions under the control of a predetermined program, and includes the at least two controllers that respectively carry out specific controls according to the predetermined program.
2. Description of the Related Art
The latest size and cost reductions of computer-aided controllers often cause a large number of controllers to be incorporated in a variety of apparatuses and work as one total control system. For example, a diversity of controllers including an engine controller that controls an engine and a brake controller that regulates the braking force are incorporated in a vehicle, which is one of moving objects with prime movers. The diversity of controllers mutually transmit required information via communication lines and function as a comprehensive control system that totally controls the moving object. This arrangement is not restricted to the vehicles but may be applied in a variety of fields, for example, other moving objects like aircraft and ships, machine tools, plant control apparatuses, and manufacturing equipment.
The arrangement of controlling the whole apparatus or the whole system not with a single computer but with a large number of controllers desirably restricts the required control range of each controller and advantageously simplifies the processing program used in each controller and facilitates verification of the validity of the processing. This arrangement also limits the total number of inputs into and output from each controller and thus enhances the processing speed of connected elements like actuators.
In the control system that utilizes a plurality of controllers for the control, the important issue is how to handle the error arising in each controller. A digital controller generally has a monitoring circuit that monitors the operation of a CPU of interest and resets the CPU of interest in response to detection of abnormality arising in the CPU of interest. The monitoring circuit may be another CPU, which is different from the CPU of interest, or a watchdog circuit.
For example, the technique disclosed in JAPANESE PATENT LAID-OPEN GAZETTE No. 5-143496 utilizes an auxiliary CPU to monitor a main CPU in an air bag unit for the vehicle. The auxiliary CPU monitors the operation of the main CPU, and activates an inhibitor circuit in response to detection of abnormality arising in the main CPU, so as to prohibit signals from being output from the main CPU to an external circuit.
A monitoring circuit adopted in a controller of a power-driven steering wheel is disclosed in JAPANESE PATENT LAID-OPEN GAZETTE No. 11-314573. A watchdog timer or an excess current detection circuit may be applied for the monitoring circuit.
In the case where a plurality of CPUs are used to control a moving object, the applicable construction may allow the CPUs to mutually monitor the operations of the opposite CPUs For example, in one possible configuration, each of two CPUs, which respectively control two prime movers, monitors the operation of the opposite CPU and resets the opposite CPU in response to detection of abnormality arising in the opposite CPU.
In the structure that the plurality of CPUs mutually monitor the opposite CPUs, when one CPU is reset, the CPU successively resets another CPU at the time of reactivation. This is because the reset operation of one CPU generally causes the whole peripheral circuit configuration including the CPU to be reset. This leads to endless circulation of the reset operations of the CPUs and thus prevents the controller from being restored to the normal state.
Some abnormality of the controller is ascribed to abnormality arising in an arithmetic logic operation circuit. If there is any abnormality in an arithmetic logic operation circuit included in a controller, the controller can not detect the occurrence of an error properly.
The distribution of the control to a large number of controllers leads to another technological issue; that is, how to ensure the validity of the processing carried out by another controller. A measure against this issue has been proposed in JAPANESE PATENT LAID-OPEN GAZETTE No. 9-46803. This proposed technique causes the respective controllers to mutually transmit data processed therein, carry out comparison between the transmitted data, and stop the control in the case of inconsistency. Another technique proposed in various ways provides a specific apparatus exclusively used to verify the validity of the processing (for example, a diagnosis computer) and monitor the operation of each controller. As discussed above, there is another widely known technique that provides a watchdog timer to detect abnormality in the sequential series of processing, for example, due to a bug existing in a processing program, in each controller and reset the controller.
Any of these proposed techniques, however, undesirably increases the number of objects, which are subjected to verification for the validity of the processing, in geometric progression with an increase in number of controllers, an increase in number of plants, which are the objects to be controlled by the controllers, or with an increase in quantity of information transmitted therebetween. This leads to the significantly heavy loading relative to the load of the processing to be executed in the respective controllers. One possible measure to prevent such heavy loading is to use the diagnosis computer exclusively used for the verification. Under the condition of the increasing number of signal lines or the increasing quantity of information output from each controller to the diagnosis computer, however, this structure does not ensure the real-time verification. The use of the specific device exclusively used to verify the validity of the processing makes the structure of the whole control system undesirably complicated and raises the required cost.
When the respective controllers carry out significantly complicated operations, another issue arises; that is, how to and what to be verified. One possible measure against this issue allocates the weights to the operations carried out by the respective controllers and carries out strict verification for the operation that generates essential data important for the whole system and for the essential operation important for the control of the whole system. In the moving object like a vehicle, however, any data may be regarded as important and essential. The constructed system is thus required to verify all the operations carried out therein. There has accordingly been no comprehensive measure against the above issues.
The object of the present invention is thus to provide a comprehensive technique that detects a processing error arising in any of at least two controllers included in a control system, where each of the at least two controllers includes an arithmetic logic operation unit that follows a specific program, and carries out predetermined processing according to the specific program.
At least part of the above and the other related objects is actualized by a technique that utilizes a plurality of controllers, which are connected with one another and include a first controller and a second controller, to control operations of an object. The first controller has a first reset execution unit that carries out a first reset event, which resets a circuit configuration of a predetermined range including the second controller in response to input of a reset signal. The second controller has a second reset execution unit that does not output the reset signal to the first controller in response to the reset of the second controller by the first reset event, and outputs the reset signal to the first controller in response to detection of abnormality arising in the first controller.
In this structure, in response to input of the reset signal, the first controller resets the circuit configuration of the predetermined range including the second controller, while the second controller does not reset the first controller. This arrangement desirably prevents the endless reset operations of the controllers. The second controller resets the first controller only in response to detection of abnormality arising in the first controller. This arrangement thus effectively monitors abnormality in the first controller.
It is preferable that the first controller takes charge of upper-most level control in the circuit configuration of the predetermined range in the process of controlling the object.
This arrangement enables the circuit configuration of the predetermined range including the second controller to be reset in response to the reset operation of the first controller, thus ensuring restoration of the control of the object to the normal state.
In accordance with one preferable application of the present invention, the first controller and the second controller mutually monitor abnormality in the opposite controllers and respectively transmit the reset signal to the opposite controller in response to detection of abnormality arising in the opposite controller.
This arrangement significantly exerts the effect of preventing the endless circulation of the reset operations of the first controller and the second controller.
In accordance with another preferable application of the present invention, the control system further includes a monitoring circuit that monitors abnormality in the first controller and transmits a reset signal to the first controller in response to detection of abnormality arising in the first controller. In the case where the control system is mounted on a moving object with a prime mover, the control system carries out a reset test at a time of starting the moving object. The reset test checks whether or not a reset operation of the first controller by means of the second controller and a reset operation of the first controller by the monitoring circuit are performed normally.
This arrangement enables the reset operation of the first controller to be confirmed, prior to a drive of the moving object, thus improving the reliability of the control system.
In accordance with still another preferable application of the present invention, the control system further includes a reset record registration unit that is connected to one of the plurality of controllers and stores results of the reset test registered therein.
This arrangement enables the controller to readily check the results of the reset test.
The reset record registration unit may have the function of detecting and storing generation of at least part of a plurality of reset signals transmitted to the plurality of controllers in the course of the reset test.
This arrangement enables a check for generation of a preset reset signal during the reset test by examining the reset record registration unit.
In the case where the control system is mounted on a moving object with a prime mover, the reset record registration unit may have a function of detecting and storing generation of at least part of the plurality of reset signals during a drive of the moving object after the reset test.
This arrangement enables the occurrence of abnormality in the controller to be informed during a drive of the moving object by examining the reset record registration unit.
The present invention is also directed to a method of detecting a processing error arising in any of at least two controllers included in a control system, where each of the at least two controllers includes an arithmetic logic operation unit that follows a specific program and carries out predetermined processing according to the specific program. The method includes the steps of: separating a first process from a second process, the first process causing a controller of interest, which executes the predetermined processing, to verify the validity of the predetermined processing based on a result of the predetermined processing, the second process causing another controller, which is different from the controller of interest, to verify the validity of the predetermined processing carried out by the controller of interest; carrying out the first process in which the controller of interest verifies the validity of the predetermined processing; and carrying out the second process in which another controller receives the result of the predetermined processing carried out by the controller of interest and verifies the validity of the predetermined processing.
The technique of the present invention may also be actualized by a control system corresponding to this method of detecting the processing error. In the method of detecting the processing error and the corresponding control system, the first process is separate from the second process. Here the first process causes a controller of interest to verify the validity of the predetermined processing, based on the result of the predetermined processing carried out by the controller of interest. The second process causes another controller, which is different from the controller of interest, to verify the validity of the predetermined processing carried out by the controller of interest. This arrangement effectively prevents the mechanism of detecting the processing error from being undesirably complicated even in the control system of the complex configuration, thus enhancing the speed of detection of the processing error. The division of detection into the first process and the second process clarifies the details of the processing error detected and simplifies the required program.
In the method of detecting the processing error and the corresponding control system, the second process may verify the validity of an operation executed by the arithmetic logic operation unit included in the controller of interest. In this application, in the second process, another controller causes the arithmetic logic operation unit included in another controller to perform an operation and thereby verify the validity of the operation executed in the controller of interest. Here the operation carried out by the arithmetic logic operation unit in the controller of interest may be identical with the operation carried out by the arithmetic logic operation unit in another controller. Alternatively the arithmetic log operation unit in the controller of interest may carry out another operation, based on the results of the operation carried out by the arithmetic logic operation unit in another controller. In the event of malfunction of the internal arithmetic logic operation unit, the controller of interest can not verify the validity of the own operation. For example, a program is postulated that compares the result of the operation with a preset value and changes the details of the processing according to the consistency or inconsistency. The consistency or inconsistency is determined by utilizing the mechanism that a specific value is set to a flag in the case of consistency. When the mechanism of changing the value of the flag malfunctions to always set the flag representing consistency, the arithmetic logic operation unit can not perform the correct operation. In case of such troubles, the arrangement outputs the result of the operation, which is carried out by the arithmetic logic operation unit included in the controller of interest, to another controller and verifies the validity of the operation, based on the result of the operation carried out by the arithmetic logic operation unit included in another controller. This arrangement does not verify the validity of specific data but preferably verifies the validity of the arithmetic logic operation itself.
In accordance with one preferable application of the method of the present invention, the first process specifies a range of a result obtained by the first process and thereby verifies the validity of the predetermined processing. In the first process, the controller of interest, which has executed the processing, performs the verification. In many cases, the possible range of the result of the first process can be specified. In such cases, the validity of the processing is verified, whether or not the result of the first process is within the specified range.
In accordance with another preferable application of the method of the present invention, the second process causes another controller to check results of arithmetic logic operations including a predetermined fundamental operation with regard to a predetermined value and thereby verifies the validity of the predetermined processing. In the second process, the controller of interest can not verify the validity of the internal mechanism that carries out the processing. The arrangement of entrusting another controller with the verification ensures the sufficient reliability of verification.
In accordance with still another preferable application of the method of the present invention, each of the at least two controllers is mounted on a moving object with a prime mover, and the first process is at least part of a control process that controls an apparatus including the engine of the moving object. In the moving object with the prime mover, a large number of controllers may work in a cooperative manner to implement the control. This arrangement enables verification of the validity of the processing, while carry out the control of the moving object having such a configuration.
In the moving object, the at least two controllers may be any of an engine controller that controls the engine, a motor controller that controls a motor, which outputs power required for the moving object in cooperation with the engine, a battery controller that regulates a battery, which supplies electric power to the motor, and a brake controller that regulates a braking force of the moving object. For the efficient total control of the moving object, it is practical to assign the required works to the respective controllers mounted on the moving object according to the functions of the moving object.
Each controller is designed to allow transmission of the results of the second process via serial communication. The serial communication favorably enables exchange of data via a small number of signal lines.
In the control system, each controller may be constructed by a one-chip microcomputer including a controller. The use of the one-chip microcomputer desirably reduces the number of external circuits and simplifies the structure of the whole control system.
The technique of the present invention may be attained by a diversity of applications, which include a control system of a moving object and a corresponding control method, a moving object with such a control system mounted thereon, a computer program that actualizes the functions of either the control system or the control method, a recording medium in which such a computer program is recorded, and a data signal that includes such a computer program and is embodied in a carrier wave.
These and other objects, features, aspects, and advantages of the present invention will become more apparent from the following detailed description of the preferred embodiments with the accompanying drawings.