1. Field of the Invention
The present invention relates to an electronic controller used mainly in a vehicle control system, and particularly to a fail-safe function for an electronic controller with fault diagnosing ability configured in one or more integrated circuits or for a system equipped with such an electronic controller.
2. Description of Related Art
On vehicles, electronic control units (hereinafter "ECUs") are used for, e.g., anti-lock brake systems (hereinafter "ABS" systems) and traction control systems (hereinafter "TRC" systems). A crucial feature of these systems and the ECUs used in these systems is a fail-safe capability for ensuring the safety of the vehicle.
For example, if the ECU of an ABS system fails, the conventional foot brake function must be restored immediately. As shown in FIG. 3, for this switching operation to the safety side to take place swiftly in the event of ECU failure, the ECU generally includes a fail-safe relay 54 as well as an associated relay drive circuit 52, an intra-ECU power circuit 42, a central processing unit (CPU) 49 and a drive circuit 51 for the actuator 53.
The CPU 49 is used for processing data in carrying out the ABS operation. The fail-safe relay 54 is activated when an ECU abnormality is detected based on the mutual monitoring among the CPUs of control systems, including ROM check, RAM check and routine skip check through the mutual communication lines, or based on the watchdog pulse monitoring by the monitoring circuit 47 as is known in the art.
Multistage intervals between transmission and reception of watchdog pulse signals enable detection of routine skip and discrimination of abnormalities such as routine skip and runaway computations in the CPU 49.
The intra-ECU power circuit 42 which stabilizes the supply voltage from the battery 41, the output over-current limiter circuit 43, the IC overheat protection circuit 44, the IC over-voltage protection circuit 45, the output power control circuit 46, the watchdog pulse monitoring circuit 47 and the CPU reset circuit 48 are generally integrated in one IC package. The CPU 49, the sensor signal processing circuit 50, the actuator drive circuit 51 and the fail-safe relay drive circuit 52 are generally built in individual IC packages.
However, recent high-performance ECUs have an increased scale and complexity of internal circuit arrangement, and the above-mentioned ECU diagnosis based on the mutual CPU monitoring or watchdog pulse monitoring is limited in its ability of abnormality detection only to circuits that generate watchdog pulses or the like. On this account, the ECU diagnosis covers only important circuits, and it may fail to accurately detect an abnormality occurring, for example, in the actuator drive circuit 51 which activates the actuator of the anti-lock brake system or the like in response to the CPU output signal or in the sensor signal processing circuit 50 which delivers the sensor output signal to the CPU.