1. Field of the Invention
This invention relates to a controller with a fail-safe function, and particularly to a controller with a fail-safe function having plural (usually, two) central processing units (CPU) for one control object and adapted for temporarily stopping the operation of the controller when an anomaly occurs in the operation of one of the central processing units, thus preventing output of erroneous control data.
2. Description of the Related Art
Conventionally, a controller with a fail-safe function having two central processing units (CPU), that is, a master central processing unit (hereinafter referred to as master CPU) and a slave central processing unit (hereinafter referred to as slave CPU), is known.
In this case, in a first example of the known controller with a fail-safe function, the master CPU constantly monitors the operation of the slave CPU, and when anomaly occurs in the operation of the slave CPU, the master CPU supplies a reset signal to the slave CPU to reset the slave CPU and thus temporarily stops the operation of the slave CPU.
In a second example of the known controller with a fail-safe function, the same detection data is supplied to the master CPU and the slave CPU, and first intermediate processing data processed by the master CPU and second intermediate processing data corresponding thereto and processed by the slave CPU are compared with each other. When the first and second intermediate processing data are coincident with each other, a coincidence signal is outputted. When the first and second intermediate processing data are not coincident with each other, a non-coincidence signal is outputted.
In the first example of the known controller with a fail-safe function, when anomaly occurs in the operation of the slave CPU, abnormal processing data is prevented from being outputted from the slave CPU. However, since no measure is provided for monitoring abnormal operation of the master CPU or stopping the abnormal operation when anomaly occurs in the operation of the master CPU, output of unwanted processing data may be continued.
In the second example of the known controller with a fail-safe function, when first intermediate processing data processed by the master CPU and second intermediate processing data processed by the slave CPU are compared with each other, only a coincidence signal is outputted in the case the first and second intermediate processing data are coincident with each other, or only a non-coincidence signal is outputted in the case the first and second intermediate processing data are not coincident with each other. Since no measure is provided for stopping the operation when anomaly occurs in the detector unit for detecting coincidence or non-coincidence of the first and second processing data or when anomaly is detected in the signal output function itself, erroneous processing data may be outputted.