1. Field of the Invention
The present invention relates to an arithmetic and control unit, and more particularly to an arithmetic and control unit with enhanced reliability of fault detection in antilock brake control.
2. Description of the Prior Art
Antilock brake control which is adopted for securing safety during travel of a vehicle requires an extraordinarily high reliability since malfunctions of the control device is directly responsible to the human life. In the meantime, when a malfunction occurred due to an unforeseen factor such as noise, it is desirable to reset the control device to the normally controlled state as quickly as possible.
In FIG. 7 is shown a block diagram of a conventional arithmetic and control unit for antilock brake control established to satisfy such a requirement.
An arithmetic and control unit 70 has a control unit 71 which executes antilock brake control and a monitor unit 72 which monitors the operating conditions of the control unit 71.
The control unit 71 is provided with a main control means 73, a diagnostic pulse generating means 74 and a reset signal input means 75. The main control means 73 inputs a plurality of wheel speed sensor signals such as wheel speed, calculates the controlled value of the break fluid pressure based on a control program set in advance, and outputs a break control signal CTL. The diagnostic pulse generating means 74 outputs a diagnostic pulse DCP having a cycle T1 in a prescribed range by receiving a diagnostic pulse instruction signal IDP transmitted from the main control means 73 at every completion of a unit control operation. The reset signal input means 75 inputs a pulse-form reset signal RST1 to shape its waveform and outputs the result, an internal reset signal RST2, to the diagnostic pulse generating means 74 and the main control means 73.
The monitor unit 72 is provided with a clock means 76, a reset signal output means 77 and a warning generating means 78. The clock means 76 measures the cycle T1 of the diagnostic pulse DCP by counting the clock and diagnoses the operating conditions of the control unit 71. When the diagnostic pulse DCP is not received within a prescribed overflow decision time T2, the counted value of the clock means overflows, and a warning instruction signal IW and a reset instruction signal RST0 are sent to active level. When the warning instruction signal IW is received, the warning generating means 78 outputs an abnormality warning signal WRN to the outside. When the reset instruction signal RST0 is received, the reset signal output means 77 outputs a pulse-form reset signal RST1 to the control unit 71.
FIG. 8 shows operating timing charts of the control unit 71 and the monitor unit 72. FIG. 8A is an operating timing chart when abnormal operation occurred continuously after a normal operation. In the normal operation condition, since the control program is set so as to execute a diagnostic pulse issue instruction routine at every completion of execution of the unit control of the main control means, the diagnostic pulse DCP of cycle T1 is output from the diagnostic pulse generating means 74. An overflow decision time T2 (100 ms, for example) of the clock means 76 is set to be sufficiently large compared with the cycle T1 (10 ms, for example) of the diagnostic pulse DCP, so that the clock means 76 decides that execution of the control operation is normal when it detects an edge (for example, the trailing edge as in FIG. 8) of the diagnostic pulse DCP within the measurement allowable time T2.
In contrast, if the system runs away due to abnormality in the execution of the control program of the main control part caused by some factor, the diagnostic pulse generating means 74 will cease to generate the diagnostic pulse DCP because the operation detours the diagnostic pulse issue instruction routine of the control program. Since an edge of the diagnostic pulse DCP cannot be detected within the overflow decision time T2, the clock means 76 outputs the warning instruction signal IW at active level by deciding that the control unit 71 is in an abnormal state, and the warning generation means 78 outputs the abnormality warning signal WRN. At the same time, the clock means 76 causes the reset signal output means 77 to generate the pulse-form reset signal RST1, and reactivates the diagnostic pulse generating means 74 and the main control means 73 via the reset signal input means 75.
If the factor of runaway in the execution of the control program is due to transitory noise or the like from the outside, the system returns to the normal condition by reactivation of the main control means 73, so that the diagnostic pulse DCP is sent to the clock means 76 with the cycle of T1, thereafter it is decided that the system is in the normal conditions.
If the runaway factor of the control program is caused by continuous abnormality of the wheel speed sensor signal SW, failure of the main control means 73, failure of the diagnostic pulse generating means 74, or the like, the system does not return to the normal operation even by the reset signal RST1, and the abnormality warning signal WRN is output continuously as shown in operating timing chart FIG. 8A.
As in the above, in the conventional arithmetic and control unit 70 shown in FIG. 7, against a continuously generated abnormality, it is possible to take a countermeasure such as stopping the antilock brake control by continuous generation of the abnormality warning signal, and against a transitory abnormality by noise or the like, it is possible to let the system return to the normal state by resetting it once and activating it again let it resume the antilock brake control.
However, if the main control means 73 of the control unit 71 is in trouble, and the system runs away only when a specific processing routine in the control program is executed, the abnormal state occurs irregularly and intermittently or sporadically.
FIG. 8B is an operating timing chart for an example in which an abnormal state of the control unit occurs intermittently. Here, whenever the clock means 74 decides it as an abnormal state and reactivates the main control means 73 by generating the pulse-form reset signal RST1, the system returns to the normal state, but it repeats to go back to the abnormal state. In such a case, since the abnormality warning signal WRN is not generated continuously in spite of the failure of the control unit 71, antilock brake control is not stopped, and the vehicle travels in a potentially hazardous state which is embracing a failure.
Moreover, when the clock means 76, for example, of the monitor unit 72 is in failure, it becomes impossible to detect abnormality of the control unit, but the conventional arithmetic and control unit 70 is not in possession of a means to inspect whether or not the monitor unit operates normally.
Object of the Invention
It is the object of the present invention to provide an arithmetic and control unit which is provided with both of the function of inspecting whether the monitor unit is normal or not, that is, whether the inspection of abnormality of the control unit is possible or not, and the function of deciding such a failure in which the control unit exhibits abnormal state with irregular intervals as a failure and generating a failure warning signal.
Summary of the Invention
The arithmetic and control unit according to the present invention has a monitor unit which counts the cycle time by receiving the diagnostic pulse, and generates an overflow bit that takes on a prescribed state value when it decides that the cycle time is larger than a prescribed overflow decision time and outputs it at a lapse of a prescribed time, and outputs a pulse-form reset signal as active level during a prescribed time when the overflow bit is the prescribed state value, as well as a control unit which generates a diagnostic pulse at every execution of a unit control during control operation, is reactivated when active level of the reset signal is received and inputs and stores the overflow bit after an activation including a reactivation, and when the stored overflow bit is not a prescribed state value, stops the output of the diagnostic pulse to the monitor unit during a monitor unit inspection time which is larger than the overflow decision time by deciding it to be an initial activation and generates a failure warning signal if the reset signal is not received within the monitor unit inspection time, and when the stored overflow bit is the prescribed state value, it is decided to be a reactivation, and also outputs a failure warning signal if the number of times of overflow updated by adding 1 to the number of times of overflow stored in a nonvolatile memory exceeds a prescribed allowable number of times.