Advances in automated control have resulted in mounting needs for safety and reliability in electronic control apparatuses. To achieve safety in the electronic control apparatus, what is required is to detect immediately a fault, as soon as it occurs, and to bring operation to a stop. An even later requirement is to enable continued operation while ensuring safety even when a fault occurs. Take, for instance, an automotive electric power steering system. What is now required is to, should a fault occur, bring the system to an immediate stop, specifically, to disable steering effort assist by an electric motor, if self-steer or other hazardous operation may be performed during the faulty condition, thereby preventing such a hazardous operation.
Lately, because of enhanced performance accompanying the advances in technology, vehicles with greater weight have come to incorporate electric power steering systems. As a result, if the steering effort assist by the electric motor is disabled when a fault occurs, a large steering effort is required in vehicles with greater weight, which makes manual steering difficult. The electric power steering system incorporated in such a vehicle with greater weight is thus required to continue operating, while ensuring safety, even when a fault occurs.
To detect a fault of a first microprocessor that controls an object under control, a method is widely known in which a monitoring microprocessor is incorporated, and the monitoring microprocessor and the first microprocessor cross-check each other. Another known method makes the first microprocessor redundant (doubling), thereby making a comparative check of outputs from the two first microprocessors.
Without doubling of the first microprocessor, a control logic circuit or a data path may be formed of redundancy code logic, such as a parity or an error detection and correction code, or an inspection circuit may be incorporated to perform a self-check. Alternatively, as disclosed in patent document 1, a torque monitoring function is incorporated in addition to a first microprocessor and the first microprocessor is determined to be faulty when excessive steering torque is input from a torque sensor. In addition, to allow the operation to continue while ensuring safety of the electronic control apparatus when a fault occurs, a method is widely used in which each of subsystems constituting the control apparatus is made redundant.
Patent Document 1
    JP-2005-315840-A