1. Field of the Invention
This invention relates to a fail-safe system used in integrated control of a vehicle such as an automotive vehicle. In addition, this invention relates to a method of fail-safe.
2. Description of the Related Art
An integrated control system for a vehicle includes a plurality of computer-based controllers designed to control structural elements (structural components) of the vehicle. Data can be transmitted among the controllers. The data transmission among the controllers enables the integrated control system to provide stable control of the vehicle.
The structural elements of the vehicle include, for example, an engine, a transmission, and an air conditioner. The controllers are assigned to actuators in the structural elements. In the event that one of the controllers fails, the assigned actuator or actuators can not be driven and controlled. In this case, there is a possibility that the vehicle can not travel at all and limp homing can not be carried out.
Japanese patent application publication number P2000-14709A discloses a multi-CPU system in which the failure of one CPU can be detected by another CPU operating normally. The normal CPU gets system information about the failed CPU. The normal CPU extracts, from the system information, a program assigned to the failed CPU. The normal CPU loads the extracted program into a memory therein or a memory in a reserve CPU. Thus, the normal CPU or the reserve CPU operates in accordance with the loaded program, and serves for the failed CPU.
Japanese patent application publication number 53-114630 discloses a first data highway system including a master station and a sub-master station. The master station has a CPU. Similarly, the sub-master station has a CPU. The CPU of the master station and the CPU of the sub-master station are connected via a data link module. In the event that the CPU of the master station fails, the CPU of the sub-master station is notified of the CPU failure via the data link module. The CPU of the sub-master station outputs a capture instruction to the CPU of the master station, and the sub-master station serves as a master station. The CPU of the sub-master station is loaded with data from an external storage device to perform backup of the data highway system in an on-line manner. Japanese application 53-114630 also discloses a second data highway system including a master station and a sub-master station which are physically independent of each other. An external storage device of the sub-master station has a special area storing the same data as those in an external storage device of the master station. In the event that the master station fails, a CPU of the sub-master station accesses the special area of the external storage device thereof so that the sub-master station serves as a master station.
U.S. Pat. No. 4,532,594 relates to an electronic control system for an automotive vehicle which includes an engine control system and a vehicle driving information system. The engine control system operates for controlling the engine operation by using a microcomputer. The vehicle driving information system operates for preparing and displaying various pieces of driving information by using another microcomputer. The two microcomputers are partners. A backup program is stored in each microcomputer for, when the partner microcomputer fails, backing up at least the critical jobs of the partner microcomputer to ensure the continuance of safe operation of the vehicle.
Japanese patent application publication number 64-13601 discloses an electronic control apparatus for a vehicle which includes a main memory and a second memory. The second memory is of a battery-backed-up type. When an engine stops, information is transferred from a prescribed area of the main memory and is saved to the second memory. After the save of the information is confirmed, a power supply is turned off. When the power supply is turned on, the information is transferred from the second memory back to the prescribed area of the main memory.
U.S. Pat. No. 5,957,985 relates to a failure-resilient automobile control system which integrates diverse and separate automobile components and provides fault-tolerance to component failure. The automobile control system includes a master control unit (MCU) electrically coupled via a primary data communications bus to the electronic automobile components. The MCU is master of the bus and manages data flow over the bus among the electronic automobile components. The MCU can be configurated with a routing table to route data monitored in one component to one or more other components. The MCU is also capable of performing the same functions as those performed by local controllers at the electronic components. During initialization, driver software for all of the local controllers is downloaded and stored at the MCU. In the event that a local controller fails, the MCU executes the driver software for the failed controller to remotely control the electronic automobile component in place of the failed local controller. Switching logic is installed at each of the electronic components to selectively route data to the primary bus, circumventing the failed controller. The automobile control system has a secondary control unit (SCU) electrically coupled to the MCU via the primary bus. The SCU is a stand-alone computer that supports clients and other devices on a secondary support bus. The SCU is also configurated to backup the MCU. During normal operation, the SCU is subordinate to and controlled by the MCU on the primary bus. In the event that the MCU fails, the SCU assumes control of the data communications network and manages the data flow among the electronic automobile components.
Japanese patent application publication number 4-279836 discloses a master-slave multi-processor system for a control and diagnostic apparatus in a motor vehicle. For separate and optionally simultaneous overlapping execution of various programs, the multi-processor system uses only one ROM which can be easily replaced or one RAM having contents that can be newly loaded or overwritten via an interface. The multi-processor system allows the optional use of at least one slave processor for arbitrarily different or alterable tasks. Data in a storage area of the slave processor can be modified or subjected to overwriting in accordance with the contents of the ROM or the RAM by fast access from a master processor.
It is a first object of this invention to provide an improved fail-safe system in integrated control of a vehicle.
It is a second object of this invention to provide an improved method of fail-safe.
A first aspect of this invention provides a fail-safe system used in integrated control of a vehicle. The fail-safe system comprises a plurality of actuators for actuating a plurality of structural elements provided on the vehicle, respectively; a plurality of sensors for detecting state quantities used in control of operation of the structural elements, respectively; a plurality of structural-element control portions for driving and controlling the actuators on the basis of the state quantities detected by the sensors according to preset control programs, respectively, wherein preset priority degrees are given to the structural-element control portions respectively; a manager control portion for storing one or more substitute programs designed to implement functions of ones among the structural-element control portions which are necessary for travel of the vehicle; a communication line; wherein actuators and sensors among the actuators and the sensors which are necessary for travel of the vehicle, the structural-element control portions, and the manager control portion are connected to the communication line to implement communications thereamong; failure detecting means for detecting failures of the structural-element control portions; and downloading means for, when the failure detecting means detects a failure of one of the structural-element control portions which is necessary for travel of the vehicle, selecting one from non-failed ones of the structural-element control portions as a download destination in accordance with the priority degrees and downloading the substitute program corresponding to the failed structural-element control portion into the selected download-destination structural-element control portion, the selected download-destination structural-element control portion being lower in priority degree than the failed structural-element control portion; wherein the download-destination structural-element control portion drives and controls the actuator corresponding to the failed structural-element control portion on the basis of the state quantity detected by the sensor corresponding to the failed structural-element control portion according to the downloaded substitute program.
A second aspect of this invention provides a method of fail-safe used in integrated control of a vehicle. The method comprises the steps of detecting state quantities used in control of operation of vehicle structural elements actuated by actuators; enabling structural-element control portions to drive and control the actuators on the basis of the detected state quantities according to preset control programs, respectively, wherein preset priority degrees are given to the structural-element control portions respectively; detecting whether or not each of ones among the structural-element control portions which are necessary for travel of the vehicle fails; and when it is detected that one among the structural-element control portions which is necessary for travel of the vehicle fails, selecting one from non-failed ones of the structural-element control portions as a download destination in accordance with the priority degrees and downloading a substitute program corresponding to the failed structural-element control portion into the selected download-destination structural-element control portion, the selected download-destination structural-element control portion being lower in priority degree than the failed structural-element control portion; wherein the download-destination structural-element control portion drives and controls the actuator corresponding to the failed structural-element control portion on the basis of the detected state quantity corresponding to the failed structural-element control portion according to the downloaded substitute program.
A third aspect of this invention provides a fail-safe system used in integrated control of a vehicle. The fail-safe system comprises a plurality of input output elements; a plurality of structural-element control portions for operation with the input output elements according to preset control programs, respectively, wherein preset priority degrees are given to the structural-element control portions respectively; a manager control portion for storing one or more substitute programs designed to implement functions of ones among the structural-element control portions which are necessary for travel of the vehicle; a communication line; wherein ones among the input output elements which are necessary for travel of the vehicle, the structural-element control portions, and the manager control portion are connected to the communication line to implement communications thereamong; failure detecting means for detecting failures of the structural-element control portions; and downloading means for, when the failure detecting means detects a failure of one of the structural-element control portions which is necessary for travel of the vehicle, selecting one from non-failed ones of the structural-element control portions as a download destination in accordance with the priority degrees and downloading the substitute program corresponding to the failed structural-element control portion into the selected download-destination structural-element control portion, the selected download-destination structural-element control portion being lower in priority degree than the failed structural-element control portion; wherein the download-destination structural-element control portion serves for the failed structural-element control portion according to the downloaded substitute program.