CN114488897A - Functional security chip and working method thereof - Google Patents

Functional security chip and working method thereof Download PDF

Info

Publication number
CN114488897A
CN114488897A CN202210100327.0A CN202210100327A CN114488897A CN 114488897 A CN114488897 A CN 114488897A CN 202210100327 A CN202210100327 A CN 202210100327A CN 114488897 A CN114488897 A CN 114488897A
Authority
CN
China
Prior art keywords
unit
management unit
communication management
operation unit
cpm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210100327.0A
Other languages
Chinese (zh)
Other versions
CN114488897B (en
Inventor
李震
姚小强
王凯
赵晟禹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CRRC Qingdao Sifang Rolling Stock Research Institute Co Ltd
Original Assignee
CRRC Qingdao Sifang Rolling Stock Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CRRC Qingdao Sifang Rolling Stock Research Institute Co Ltd filed Critical CRRC Qingdao Sifang Rolling Stock Research Institute Co Ltd
Priority to CN202210100327.0A priority Critical patent/CN114488897B/en
Publication of CN114488897A publication Critical patent/CN114488897A/en
Application granted granted Critical
Publication of CN114488897B publication Critical patent/CN114488897B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/04Programme control other than numerical control, i.e. in sequence controllers or logic controllers
    • G05B19/042Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
    • G05B19/0423Input/output
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/20Pc systems
    • G05B2219/24Pc safety
    • G05B2219/24215Scada supervisory control and data acquisition
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Abstract

The invention discloses a functional security chip and a working method thereof, wherein the functional security chip comprises: an arithmetic unit for performing arithmetic processing on the received information; the communication management unit is connected with the SPI bus and the operation unit through an Ethernet bus, and is used for receiving external information through an external bus interface, sending the information to the operation unit through the Ethernet bus, receiving a periodic operation result output by the operation unit and performing comparative analysis; and the fault management unit is connected with the communication management unit, the communication management unit sends state signals of the communication management unit and the operation unit to the fault management unit, and the fault management unit controls the on-off of the operation unit and the communication management unit through the power management unit according to the state signals. The functional safety chip provided by the invention is a safety chip which is small in size, easy to develop and easy to maintain.

Description

Functional security chip and working method thereof
Technical Field
The invention relates to the field of design of security chips, in particular to a functional security chip and a working method thereof.
Background
In recent years, security technologies in the field of electronic control have been rapidly developed, and information security technologies and functional security technologies have been attracting attention.
In the control fields of rail transit, automobiles, nuclear power and the like, the functional safety of a control system is of great importance, and if the design of the control system has serious defects, serious accidents such as personal and property loss, environmental hazard and the like can be caused. Therefore, in these critical control fields, product safety design techniques are very important, and electronic control system design needs to be developed according to the industry functional safety standard, and corresponding functional safety certification must be passed.
Conventional high-security level control systems typically use either a "two-out-of-two" or "two-out-of-three" configuration. Two, namely 2 independent CPUs respectively carry out calculation, the calculation results are compared, if the results are consistent, a command is output, and if the results are inconsistent, safety is guided. The concept of "two out of three" is similar to that of "two out of two", and 3 independent CPUs respectively calculate that 2 or 3 results are consistent, then the consistent result with many votes is output, and the CPU outputting the wrong result is considered to be failed, and the result is not adopted. The two modes involve the cooperation of multiple CPUs, and related problems such as clock, storage, communication, power supply, isolation and the like need to be considered among the CPUs, so that the design of a circuit board is complex, the types of components are multiple, the size is large, the cost is high, and the maintenance and the repair are difficult. The electronic control system is easy to work unstably due to the influence of the consistency of the devices.
Disclosure of Invention
The invention provides a small-size and easy-to-develop functional safety chip and a working method thereof, aiming at the technical problems of complex design, large size, high cost, difficult maintenance and the like of an electronic control system cooperatively controlled by a plurality of CPUs.
In a first aspect, an embodiment of the present application provides a functional security chip, including:
the operation unit comprises a first operation unit and a second operation unit, and the first operation unit and the second operation unit are used for performing operation processing on received information;
the communication management unit is connected with the operation unit through an Ethernet bus and an SPI bus, and is used for receiving external information through an external bus interface, sending the information to the first operation unit and the second operation unit through the Ethernet bus, receiving periodic operation results output by the first operation unit and the second operation unit, and carrying out contrastive analysis;
the power supply management unit is used for connecting external power supply input and outputting power supply voltage required by the operation unit and the communication management unit;
the fault management unit is connected with the communication management unit through an IO line, the communication management unit sends state signals of the communication management unit and the operation unit to the fault management unit through the IO line, the fault management unit is connected with the power management unit, and the fault management unit controls the operation unit and the communication management unit to be powered on and powered off through the power management unit according to the state signals;
and the bus isolator is used for electrically isolating the communication management unit from the operation unit, and the SPI bus between the communication management unit and the operation unit is connected through the bus isolator.
In the functional security chip, the communication management unit is further connected to the operation unit through a synchronous periodic signal line, and the communication management unit simultaneously outputs a synchronous periodic signal to the first operation unit and the second operation unit through the synchronous periodic signal line to enable the first operation unit and the second operation unit to operate synchronously.
In the functional security chip, after the synchronization between the first operation unit and the second operation unit is completed, the operation is performed according to the information sent by the communication management unit, and the cycle operation result is sent to the communication management unit at the same time of each synchronization cycle.
In the functional security chip, the communication management unit is further connected to the operation unit through a reset control line, and the communication management unit outputs a reset command signal through the reset control line to reset the operation unit.
In the functional security chip, the reset control line and the synchronous periodic signal line are connected to the communication management unit and the operation unit through the bus isolator.
The above-mentioned functional security chip, wherein, still include:
the operation storage unit is connected with the operation unit and is used for storing the executable codes of the operation unit;
a program storage unit for storing an executable code of the communication management unit;
and the application storage unit is used for storing general data in the operation process of the communication management unit, and the program storage unit, the application storage unit and the communication management unit are interconnected through a 16-bit bus.
The functional security chip comprises an arithmetic unit, an operational storage unit, a phase inverter, an enable signal and an arithmetic unit, wherein a chip selection signal of the arithmetic unit is connected with a chip selection signal of the operational storage unit, the chip selection signal of the arithmetic unit is connected with the enable signal of a bus switch circuit after passing through the phase inverter, and when the chip selection signal of the arithmetic unit is at a low level, the arithmetic unit reads and writes the operational storage unit; and when the chip selection signal of the arithmetic unit is at a high level, the arithmetic unit writes the periodic operation result into the communication management unit through the bus switch circuit and the bus isolator.
The functional security chip is characterized in that a memory area is arranged inside the communication management unit, the memory area is used for storing the received cycle operation result, the memory area is divided into a plurality of data segments, after the communication management unit receives the cycle operation result, the communication management unit extracts a cycle number accumulated value of the operation unit, and stores the cycle operation result into a corresponding data segment in the memory area according to the cycle number accumulated value.
In the functional safety chip, the fault management unit is further connected with an external power switch, and the fault management unit controls the external power switch to switch on or off the power supply of the operation unit according to the state signal of the operation unit sent by the communication management unit.
In a second aspect, an embodiment of the present application provides a working method of a functional security chip, including:
a communication management unit starting step: powering on a communication management unit, wherein the communication management unit reads executable codes of the communication management unit from a program storage unit;
an arithmetic unit starting step: after the communication management unit is started, the operation unit is powered on, the operation unit reads the executable code from the operation storage unit through the SPI bus by enabling a chip selection signal of the operation unit to be a low level signal, and the operation unit starts to be started;
a signal synchronization step: after the operation units are started, a first operation unit and a second operation unit in the operation units receive a synchronous periodic signal sent by the communication management unit, and the first operation unit and the second operation unit run synchronously according to the synchronous periodic signal;
an information sending step: after receiving information through an external bus interface, the communication management unit sends the information to the first arithmetic unit and the second arithmetic unit through an Ethernet bus at the same time, and updates corresponding data variables in the first arithmetic unit and the second arithmetic unit according to the information;
and an operation result sending step: the first arithmetic unit and the second arithmetic unit send a cycle arithmetic result to the communication management unit through an SPI bus or the Ethernet bus at the same time of each synchronous cycle;
and (3) comparing results: and (3) comparing results: after receiving the cycle operation result, the communication management unit stores the cycle operation result into a corresponding data segment according to a cycle number accumulated value, compares the cycle operation results of the first operation unit and the second operation unit, outputs an externally output result through the external bus interface if the results are consistent in comparison, and records error data and prohibits the externally output of the current result if the results are inconsistent;
a signal resetting step: if the number of times of errors of the first arithmetic unit or the second arithmetic unit exceeds the upper limit, the communication management unit resets the first arithmetic unit and the second arithmetic unit simultaneously through a reset command signal and returns to the arithmetic unit starting step;
a power-off reset step: if the first operation unit and the second operation unit are unsuccessfully reset through the reset command signal, the first operation unit and the second operation unit are powered on again after being forced to be powered off through the fault management unit according to the state signal of the operation unit sent by the communication management unit, and the operation unit starting step is returned.
Compared with the prior art, the invention has the advantages and positive effects that:
1. the functional safety chip has the safety functions of electrical isolation design and operation result comparison verification, the operation unit and the communication management unit can carry out isolation communication in two modes, and only under the condition that comparison analysis passes, a synthesized result is sent out through an external bus, so that the safety of the calculation result of the functional safety chip is ensured;
2. the functional security chip is internally provided with a synchronization mechanism, and a synchronization periodic signal line between the communication management unit and the two operation units can ensure the pace between the two operation units to be consistent;
3. the functional safety chip has self-detection and fault self-recovery functions, when the operation unit has a fault, the operation unit can be reset by a reset signal or a power-off reset mode, and when the reset fails, the functional safety chip prohibits sending abnormal data to the outside to ensure the functional safety;
4. compared with the traditional design scheme of discrete devices of the functional safety controller, the design scheme of the safety chip can greatly reduce the design difficulty of the functional safety control system, reduce the number of devices of the functional safety control system, reduce the area of a circuit board to realize miniaturization, improve the design consistency of the control system and improve the reliability of the safety control system. The device is convenient to design, produce and maintain, so that the overall cost of the functional safety control system is effectively reduced, and the economic benefit is better.
Drawings
Fig. 1 is a schematic diagram of an internal structure of a functional security chip according to the present invention;
FIG. 2 is a circuit diagram of the connection between the communication management unit and the operation unit according to the present invention;
FIG. 3 is a schematic diagram of memory allocation of a communication management unit according to the present invention;
FIG. 4 is a timing diagram of the periodic operation provided by the present invention;
FIG. 5 is a schematic diagram illustrating steps of a method for operating a functional security chip according to the present invention;
fig. 6 is a schematic diagram of a work flow of the functional security chip provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more clearly understood, the present application is described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application.
It is obvious that the drawings in the following description are only examples or embodiments of the application, and that it is also possible for a person skilled in the art to apply the application to other similar contexts on the basis of these drawings without inventive effort. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless otherwise defined, technical or scientific terms referred to herein should have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as referred to herein means two or more. "and/or" describes the association relationship of the associated object, indicating that there may be three relationships, for example, "a and/or B" may indicate: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
The present invention is described in detail with reference to the embodiments shown in the drawings, but it should be understood that these embodiments are not intended to limit the present invention, and those skilled in the art should understand that functional, methodological, or structural equivalents or substitutions made by these embodiments are within the scope of the present invention.
The functional safety chip is mainly applied to scenes with higher requirements on functional safety, and can be applied to the field of rail transit electronic control, such as scenes with great influences on passenger personal safety and equipment safety operation, such as a train signal control system, a train brake control system, a train anti-collision control system and the like. Compared with safety control equipment built by discrete devices, the safety control equipment has the advantages that the functions of a plurality of conventional main control chips can be realized by using one safety chip, the occupied area of a board card is greatly reduced, the peripheral layout of a control circuit board is simpler, and the system reliability is higher.
The first embodiment is as follows:
fig. 1 is a schematic diagram of an internal structure of a functional security chip according to the present invention. As shown in fig. 1, the functional security chip FSC includes 2 operation units: the computing unit CPM-A and the computing unit CPM-B; 1 communication management unit CMU; 4 storage units: a program storage unit PSU-A, an application storage unit ASU, a storage unit MEM-A and a storage unit MEM-B; 2 DDR3 modules: DDR3-A, DDR 3-B; 3 power management units: power management A, B, C; 2 bus switching circuits: a bus switch circuit SW-A, a bus switch circuit SW-B; 1 fault management unit FMU; 3 crystal oscillator modules: a crystal oscillator module A, B, C; 6 Ethernet interface units: an ethernet unit A, B, C, D, E, F; 2 CAN interface units: a CAN unit A, B; 2 serial interface units: serial port unit A, B.
The main function of the operation unit (CPM) is operation processing, the functions of the CPM-A, CPM-B are completely the same, and 2 operation units are electrically isolated. Each operation unit is provided with an independent DDR3 module, a storage unit, a power management unit, a crystal oscillator module and an Ethernet unit. Specifically, the DDR3 module is used for providing internal high-speed storage for the CPM, the storage unit is used for storing executable codes of the CPM, the crystal oscillator module is used for providing a clock crystal oscillator with fixed frequency for the CPM, the power management unit is connected with external power supply input and generates power supply voltage required by the work of the CPM, the Ethernet unit is responsible for an external Ethernet interface of the CPM, each CPM externally provides an MMC bus interface, the MMC bus can be connected with an SD card, and program offline upgrading and external storage expansion can be achieved.
In some embodiments, each arithmetic unit (CPM) is electrically isolated from a Communications Management Unit (CMU) to which the CPM is connected via an ethernet bus. Specifically, 2 network transformers, namely a network transformer A and a network transformer B, are configured outside the functional security chip, and the CPM-A is connected with the CMU through an Ethernet unit A, the network transformer A and an Ethernet unit C; and the CPM-B is connected with the CMU through an Ethernet unit B, a network transformer B and an Ethernet unit D.
In some embodiments, the communication management unit is configured to receive external information through the external bus interface and send the information to the first arithmetic unit and the second arithmetic unit through the ethernet bus, and receive and compare the periodic arithmetic results output by the first arithmetic unit and the second arithmetic unit; specifically, the Communication Management Unit (CMU) mainly functions include: receiving 2 operation units (CPM) to output operation results, carrying out comparative analysis on the operation results, and prohibiting results which are not matched from being output; managing external communication, communicating with the outside through Ethernet units E and F, CAN units A and B and serial port units A and B, receiving external information, and sending a processing result to the outside; monitoring the running states of the 2 operation units and the CMU, and cutting off the power supply of the CPM through a fault management unit FMU when the abnormity is found, or resetting the CPM through RST-A, RST-B; recording operation process data and storing the operation process data into an Application Storage Unit (ASU); the executable code of CPM-A or CPM-B is updated online over Ethernet C or D.
In some embodiments, the fault management unit is connected with the communication management unit through an IO line, and the communication management unit sends status signals of the communication management unit and the operation unit to the fault management unit through the IO line, in an embodiment of the present invention, a Communication Management Unit (CMU) and a Fault Management Unit (FMU) are connected through 3 IO lines, which are PIO-A, PIO-B, PIO-C respectively representing the operating status of CPM-A, CPM-B, CMU, when CPM-A, CPM-B, CMU operates normally, the CMU sends a PWM square wave signal to the FMU through PIO-A, PIO-B, PIO-C, if CPM-A, CPM-B or CMU has a serious fault (e.g., the vital signal sent by CPM to CMU stops updating, and the CMU finds that the daA comparison result of CPM-a and CPM-B is continuously wrong), the CMU will control the PIO-A, PIO-B or PIO-C signal to output a 0. The FMU will consider the module to fail severely if it detects within 1.5S that the PIO-A, PIO-B or PIO-C signal is unchanged.
Meanwhile, the fault management unit is connected with the power management unit, the power management unit is used for connecting external power supply input and outputting power supply voltage required by the operation unit and the communication management unit, the fault management unit controls the on-off of the operation unit and the communication management unit through the power management unit according to the state signal, further, the FMU is connected with an enable signal PMC-EN of the power management unit C, and under the condition that the CMU works abnormally, the power management unit C is controlled to stop outputting to reset the CMU.
The fault management unit is also connected with the external power switch, and the fault management unit controls the power supply of the external power switch on-off operation unit according to the state signal of the operation unit sent by the communication management unit. The external power switch comprises A power switch A and A power switch B, an FMU is respectively connected with enable signals PMA-EN and PMB-EN of the power switches A and B, and when the CPM-A (or CPM-B) works abnormally, the CMU controls the external power switch A (or B) to cut off A power supply of the CPM-A (or CPM-B) through the PIO-A (or PIO-B) to force the external power switch A (or B) to stop working.
In some embodiments, the communication management unit is further connected to the computing unit via a synchronous periodic signal line, a reset control line, and the Communication Management Unit (CMU) is connected to the reset control lines RST-a and RST-B of the 2 computing units (CPM) via an mutexternal bus isolator for ensuring electrical isolation between the CMU and the CPM-A, CPM-B. When the CPM-A or the CPM-B works abnormally, the CMU can forcedly reset the CPM-A or the CPM-B by controlling the RST-A or the RST-B to output 0; in the system power-on stage, the CMU forces CPM-A and CPM-B to be in a reset state by enabling RST-A, RST-B to output 0, after the power supply is stabilized, the CMU enables RST-A, RST-B to output 1, the CPM-A, CPM-B starts to read the executable code from the memory cell MEM-A, MEM-B, and the program is started to run.
The Communication Management Unit (CMU) is connected with the synchronization cycle signal lines SYN-A and SYN-B of the 2 arithmetic units (CPM-A, CPM-B) through an external bus isolator, and the CMU simultaneously sends the synchronization cycle signals SYN-A and SYN-B to the CPM-A, CPM-B. The synchronization periodic signals SYN-A and SYN-B are the same periodic signals, as shown in fig. 4: time 0-T1 is high, time T1-T2 is low, and the lengths of T1 and T2 can be configured by registers SYN _ T1 and SYN _ T2 of the CMU. The configuration of the synchronous signals is carried out according to different computing time, so that the requirements of application scenes with different computing strengths can be met. And the operation unit CPM-A or CPM-B starts synchronous operation on a rising edge.
The storage unit arranged inside the functional security chip comprises: the operation storage unit is connected with the operation unit and used for storing executable codes of the operation unit, and the operation storage unit comprises a storage unit MEM-A and a storage unit MEM-B; a program storage unit PSU-a for storing emutexecutable code of the communication management unit; and the application storage unit ASU is used for storing general data in the operation process of the communication management unit. The CPM-A (or CPM-B) of the functional security chip is respectively provided with the program storage units MEM-A (or MEM-B), and the structure ensures that the programs of the CPM-A (or CPM-B) are started simultaneously and can be updated respectively, so that the functional security chip has better flexibility in use. Can meet the requirements of different application scenes.
The PSU-A, the ASU and the CMU are interconnected through a 16-bit bus, chip selection signals CS-psua and CS-ASU of the PSU-A and the ASU are connected with the CMU, 2 read enabling control lines RD-psua and RD-ASU of the PSU-A and the ASU are connected with the CMU, and 2 write enabling signals WR-PSU and WR-ASU of the PSU-A and the ASU are connected with the CMU. The PSU-A is a program storage unit and stores the emutexecutable code of the CMU and the online scalable emutexecutable code of the CPM-A or the CPM-B. The ASU is an application storage unit, and stores general data in the CMU operation process.
In some embodiments, the SPI bus between the communication management unit and the operation unit is connected by a bus isolator, the bus isolator includes a digital isolator a and a digital isolator B, and the CMU and the CPM-A, CPM-B are connected by the digital isolator a and the digital isolator B, respectively. And the CPM-A is connected with the memory unit MEM-A through an SPI bus, and the CPM-B is connected with the MEM-B through an SPI bus. CPM-A is connected with A chip selection signal CS of MEM-A through A chip selection signal CS-A, and CS-A is connected with an enabling signal of A bus switch circuit SW-A after passing through an inverter RS-A. When CS-A is low, MEM-A is enabled and SW-A is not enabled, at which time the MEM-A module can be read and written. When CS-A is high, SW-A is enabled and MEM-A is not enabled, and the periodic operation result can be written into CMU through SW-A and digital isolator A.
CPM-B is connected with a chip selection signal CS of MEM-B through a chip selection signal CS-B, and CS-B is connected with an enabling signal of a bus switch circuit SW-B after passing through an inverter RS-B. When CS-B is low, MEM-B is enabled and SW-B is not enabled, at which time the MEM-B module can be read and written. When CS-B is high, SW-B is enabled, MEM-B is not enabled, and the periodic operation result can be written into CMU through SW-B and digital isolator B.
In general, the functional security chip is internally provided with an SPI bus selection circuit, and the CPM-A (or CPM-B) can communicate with a memory MEM-A (or MEM-B) or a CMU (programmable logic controller) through a digital isolator A (or digital isolator B) through the SPI bus. CPM-A (or CPM-B) can also communicate with CMU through Ethernet interface after passing through external isolation transformer.
As shown in the connection circuit between the CMU and the CPM-A, CPM-B in FIG. 2, there are 3 types of signals connected between the CMU and the CPM-A, CPM-B:
signal of class 1: CMU sends out the CPM-A and CPM-B synchronization command signal and the reset command signal. The synchronous command signal sent by the CMU to the CPM-A is C-syna, and the reset command signal sent by the CMU to the CPM-A is C-RST-cpma. The synchronous command signal sent by the CMU to the CPM-B is C-synb, and the reset signal sent by the CMU to the CPM-B is C-RST-cpmb. As shown in fig. 2.
Signal of type 2: the CPM sends the SPI bus communication signal to the CMU. CPM-A, CPM-B is the master of the SPI bus, CMU, MEM-A, MEM-B is the slave of the SPI. The CPM-A is connected with the SPI-A interface of the CMU, and the SPI bus signal sent by the CPM-A to the CMU comprises: the SPI chip selection signal CS-ma, the SPI clock signal CLK-ma, the SPI data signal DOUT-ma and the SPI data signal DIN-ma. CPM-B links to each other with CMU's SPI-B interface, and CPM-B sends the SPI bus signal of CMU and contains: SPI chip selection signals CS-mb, SPI clock signals CLK-mb, SPI data signals DOUT-mb and SPI data signals DIN-mb. As shown in fig. 2.
Signal of type 3: ethernet bus signals for mutual communication between CPM and CMU. The CPM-A is connected with the CMU through an Ethernet unit A, a network transformer A and an Ethernet unit C; and the CPM-B is connected with the CMU through an Ethernet unit B, a network transformer B and an Ethernet unit D. As shown in fig. 1.
CPM-a or CPM-B may select to communicate with the CMU through a type 2 SPI signal (scheme a) or a type 3 ethernet signal (scheme B), and a memory area is disposed inside the CMU and stores received periodic operation daA of CPM-a and CPM-B, respectively, as shown in fig. 3:
the data a of CMU is divided into 10 data segments: numbers 0 to 9. After receiving the CPM-a packet rt1, the CMU extracts a cycle number accumulated value cc1 of the CPM-a, and calculates a remainder a of cc1, wherein the remainder a is cc 1% 10. The remainder a is an integer from 0 to 9, and rt1 is directly stored in the data segment with the sequence number of the remainder a in the a data area.
Similarly, after receiving the CPM-B packet rt2, the CMU extracts the cycle number accumulated value cc2 of the CPM-B, and calculates the remainder B of cc2, where the remainder B is cc 2% 10. The remainder B is an integer from 0 to 9, and rt2 is directly stored in the data segment with the sequence number of the remainder B in the B data area.
CMU sends the information received from the external bus to the arithmetic units CPM-A and CPM-B simultaneously through scheme B at the falling edge of the synchronization control signals SYN-A and SYN-B. And after the CPM-A or CPM-B of the operation unit is successfully started, the CPM-A or CPM-B performs program synchronization processing through the synchronous control signals SYN-A and SYN-B of the previous N periods, wherein N is set through A register SYN _ Count of the CMU. The synchronization process can ensure that the programs of CPM-A and CPM-B run in a consistent pace. After CPM-A and CPM-B are synchronously completed, the operations of the current cycle are required to be completed within ct1 time respectively, and the operation processing results rt1 and rt2 are sent to CMU respectively at ct2 time of each cycle. The time relationship between ct2+20ms < T2, ct1, ct2, T1 and T2 is shown in fig. 4:
the data formats of the operation processing results rt1 and rt2 are as follows:
Figure BDA0003492161110000121
after receiving rt1 and rt2 sent by the computing units CPM-a and CPM-B, the CMU will determine whether the daA is normal by the following two conditions:
condition 1: it is checked whether the rt1 (and rt2) data is normal based on the CRC1 (and CRC2), and if the CRC check is passed, condition 2 is judged. If the CRC does not pass, the comparison of the cycle is terminated, an error is recorded, and the comparison judgment of the rt1 and the rt2 of the next cycle is continued.
Condition 2: it is judged whether cc1 (and cc2) is continuously increased (whether the sequence number of the packet is normal), and if so, the data can be considered normal.
If the above two conditions are satisfied, the CMU generates data fr output externally, and the fr data format is as follows:
Figure BDA0003492161110000122
after fr calculation is completed, the CMU will send the result over the external bus interface. The use of the external bus interface can be configured through an internal register of the CMU, so as to select a corresponding bus interface and a transmission rate.
Therefore, the functional safety chip has the functions of safety data operation and comparison. The CMU is provided with 2 daA storage areas for storing daA of the CPM-A and the CPM-B respectively, and each storage area is subjected to segmented management. And the CPM-A and the CPM-B simultaneously start operation after the synchronization of the CMU synchronization command, the CMU stores periodic operation results according to the remainders of the period accumulated values cc1 and cc2, and compares and analyzes the results of rt1 and rt2, and sends out the synthesized result fr through an external bus only under the condition that the comparison and analysis are passed. fr has data error correction capability, and after receiving fr data, an external system can judge the correctness of the data by itself. The structure ensures the safety of the calculation result of the functional safety chip.
In summary, compared with the traditional design scheme of discrete devices of the functional safety controller, the design scheme of the safety chip can greatly reduce the design difficulty of the functional safety control system, reduce the number of devices of the functional safety control system, reduce the area of a circuit board, realize miniaturization, and improve the design consistency of the control system, thereby improving the reliability of the safety control system. The device is convenient to design, produce and maintain, so that the overall cost of the functional safety control system is effectively reduced, and the economic benefit is better.
Example two:
in conjunction with the functional security chip disclosed in the first embodiment, this embodiment discloses a specific implementation example of a working method (hereinafter referred to as "method") of the functional security chip.
Referring to fig. 5, the method includes:
step S1: powering on a communication management unit, wherein the communication management unit reads executable codes of the communication management unit from a program storage unit;
step S2: after the communication management unit is started, the operation unit is powered on, the operation unit reads the executable code from the operation storage unit through the SPI bus by enabling a chip selection signal of the operation unit to be a low level signal, and the operation unit starts to be started;
step S3: after the operation units are started, a first operation unit and a second operation unit in the operation units receive a synchronous periodic signal sent by the communication management unit, and the first operation unit and the second operation unit run synchronously according to the synchronous periodic signal;
step S4: after receiving information through an external bus interface, the communication management unit sends the information to the first arithmetic unit and the second arithmetic unit through an Ethernet bus at the same time, and updates corresponding data variables in the first arithmetic unit and the second arithmetic unit according to the information;
step S5: the first arithmetic unit and the second arithmetic unit send a cycle arithmetic result to the communication management unit through an SPI bus or the Ethernet bus at the same time of each synchronous cycle;
step S6: after receiving the cycle operation result, the communication management unit stores the cycle operation result into a corresponding data segment according to a cycle number accumulated value, compares the cycle operation results of the first operation unit and the second operation unit, outputs an externally output result through the external bus interface if the results are consistent in comparison, and records error data and prohibits the externally output of the current result if the results are inconsistent;
step S7: if the number of times of errors of the first arithmetic unit or the second arithmetic unit exceeds the upper limit, the communication management unit resets the first arithmetic unit and the second arithmetic unit simultaneously through a reset command signal and returns to the arithmetic unit starting step;
step S8: if the first operation unit and the second operation unit are unsuccessfully reset through the reset command signal, the first operation unit and the second operation unit are powered on again after being forced to be powered off through the fault management unit according to the state signal of the operation unit sent by the communication management unit, and the operation unit starting step is returned.
Referring to fig. 6, fig. 6 is a schematic diagram of a work flow of the functional security chip provided in the present invention, and an application flow of the method is specifically described as follows with reference to fig. 6:
step 1: the system is powered up and the CMU reads the CMU's emutexecutable code from PSU-a by default. The level of the state signal PIO-C is inverted within 1.5S and the state signal PIO-A, PIO-B remains low.
Step 2: after the PIO-A, PIO-B is kept at the low level for 1.5 seconds, the fault management unit FMU ensures that the external power switch A and the power switch B are in an off state, and the operation unit CPM-A, CPM-B is kept in an off state.
And step 3: after the CMU is started, the PIO-A, PIO-B is controlled to output square wave signals, and the frequency of the square wave signals is larger than 1 Hz. The fault management unit FMU closes the external power switches A and B, and the operation unit CPM-A, CPM-B is powered.
And 4, step 4: CPM-A (or CPM-B) enables memory cell MEM-A (or MEM-B) by causing chip select signal CS-A (or CS-B) to output A low level signal, and reads the executable program from MEM-A (or MEM-B) through the SPI bus, and CPM-A (or CPM-B) starts to boot.
The CMU reads the CPM-a (or CPM-B) application code stored in the PSU-a and transmits the application code to the CPM-a (or CPM-B) through the ethernet cell C (or ethernet cell D). CPM-A (or CPM-B) receives the completed application code and begins execution.
And 5: after the CPM-A (or CPM-B) is started, the synchronization command signal received by the CMU is SYN-A (or SYN-B), and synchronization is completed in N cycles.
Step 6: after receiving the information sent by the external bus, the CMU sends the received daA to CPM-a and CPM-B through the ethernet unit C and the ethernet unit D at the same time. And after receiving the daA of the CMU, the CPM-A or the CPM-B updates corresponding daA variables in the CPM-A and the CPM-B.
And 7: CPM-A (or CPM-B) sends the operation result to CMU at the moment of ct2 of each synchronization cycle. Two communication schemes (scheme a is over SPI and scheme B is over ethernet bus) can be used, the choice of which can be configured by the CMU internal register CTC _ Con.
For scheme a: CPM-A (or CPM-B) enables the digital isolator SW-A (or SW-B) by enabling the chip select signal CS-A (or CS-B) to output A high level signal, and sends A periodic signal rt1 (or rt2) to the CMU through the digital isolator A (or B) through the SPI bus.
For scheme B: the CPM-a (or CPM-B) sends a periodic signal rt1 (or rt2) to the CMU through ethernet unit a (or ethernet unit B).
And 8: the CMU receives the rt1 (and rt2) and stores the data into the corresponding data segment according to the accumulated value of cc1 (and cc 2). And begin comparing the results of rt1 and rt 2. And if the comparison result is consistent, outputting through an external bus interface, and if the comparison result is inconsistent, recording error data by the CMU and prohibiting the external output of the error data.
And step 9: if the CMU finds that the number of times of errors of the CPM-A (or the CPM-B) mut mutexceeds the upper limit M (the M value is configured through a CMU register RLT _ Err), which indicates that the CPM state is abnormal, the CUM resets the CPM-A and the CPM-B simultaneously through the RST-A and the RST-B, and after the fault CPM-A and the fault CPM-B receive reset signals RST-A and RST-B, the mut mutexecutable codes are read again through the SPI bus, and the step 4 is repeated.
Step 10: and if the CPM-A and CPM-B reset through the RST-A and the RST-B is unsuccessful, the CMU controls the PIO-A and the PIO-B to output low level to force the CPM-A and the CPM-B to be powered off. And 2S, the CMU restores the PIO-A and the PIO-B to output PWM signals, the CPM-A and the CPM-B are electrified again, and the step 3 is repeated.
Step 11: if step 10 occurs once, and the power-off reset still fails to make the security chip resume normal operation. The CMU will stop working and stop outputting data to the external bus to ensure that no erroneous commands are output.
Therefore, the functional safety chip provided by the invention also has a fault self-recovery function inside. When the CMU detects that the accumulated times of the CPM operation result exceeds the limit, the CPM-A, CPM-B can be reset through the reset signal, if the reset is unsuccessful through the reset signal, the CMU can control the fault management unit FMU, and the CPM-A and the CPM-B can be reset in a power-off mode through disconnecting the external power switch A and the power switch B.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is specific and detailed, but not to be understood as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A functional security chip, comprising:
the operation unit comprises a first operation unit and a second operation unit, and the first operation unit and the second operation unit are used for performing operation processing on received information;
the communication management unit is connected with the operation unit through an Ethernet bus and an SPI bus, and is used for receiving external information through an external bus interface, sending the information to the first operation unit and the second operation unit through the Ethernet bus, receiving periodic operation results output by the first operation unit and the second operation unit, and carrying out comparative analysis;
the power supply management unit is used for connecting external power supply input and outputting power supply voltage required by the operation unit and the communication management unit;
the fault management unit is connected with the communication management unit through an IO line, the communication management unit sends state signals of the communication management unit and the operation unit to the fault management unit through the IO line, the fault management unit is connected with the power management unit, and the fault management unit controls the operation unit and the communication management unit to be powered on and powered off through the power management unit according to the state signals;
and the bus isolator is used for electrically isolating the communication management unit from the operation unit, and the SPI bus between the communication management unit and the operation unit is connected through the bus isolator.
2. The functional security chip according to claim 1, wherein the communication management unit is further connected to the operation unit via a synchronization cycle signal line, and the communication management unit outputs a synchronization cycle signal to the first operation unit and the second operation unit via the synchronization cycle signal line at the same time to enable the first operation unit and the second operation unit to operate synchronously.
3. The functional security chip of claim 2, wherein the first arithmetic unit and the second arithmetic unit perform arithmetic operations according to the information sent by the communication management unit after synchronization is completed, and respectively send the cycle arithmetic results to the communication management unit at the same time of each synchronization cycle.
4. The functional security chip according to claim 1, wherein the communication management unit is further connected to the operation unit through a reset control line, and the communication management unit outputs a reset command signal through the reset control line to reset the operation unit.
5. The functional security chip according to claim 2 or 4, wherein the reset control line and the synchronous periodic signal line connect the communication management unit and the arithmetic unit through the bus isolator.
6. The functional security chip of claim 1, further comprising:
the operation storage unit is connected with the operation unit and is used for storing the executable codes of the operation unit;
a program storage unit for storing an executable code of the communication management unit;
and the application storage unit is used for storing general data in the operation process of the communication management unit, and the program storage unit, the application storage unit and the communication management unit are interconnected through a 16-bit bus.
7. The functional security chip of claim 6, wherein the chip select signal of the operation unit is connected to the chip select signal of the operation storage unit, the chip select signal of the operation unit is connected to the enable signal of the bus switch circuit through the inverter, and when the chip select signal of the operation unit is at a low level, the operation unit reads and writes the operation storage unit; and when the chip selection signal of the arithmetic unit is at a high level, the arithmetic unit writes the periodic operation result into the communication management unit through the bus switch circuit and the bus isolator.
8. The functional security chip of claim 1, wherein a memory area is disposed inside the communication management unit, the memory area is configured to store the received cycle operation result, the memory area is divided into a plurality of data segments, the communication management unit extracts a cycle number accumulated value of the operation unit after receiving the cycle operation result, and stores the cycle operation result into a corresponding data segment in the memory area according to the cycle number accumulated value.
9. The functional safety chip according to claim 1, wherein the fault management unit is further connected to an external power switch, and the fault management unit controls the external power switch to turn on or off the power supply of the operation unit according to the state signal of the operation unit sent by the communication management unit.
10. A working method of a functional security chip is characterized by comprising the following steps:
a communication management unit starting step: powering on a communication management unit, wherein the communication management unit reads executable codes of the communication management unit from a program storage unit;
an arithmetic unit starting step: after the communication management unit is started, the operation unit is powered on, the operation unit reads the executable code from the operation storage unit through the SPI bus by enabling a chip selection signal of the operation unit to be a low level signal, and the operation unit starts to be started;
a signal synchronization step: after the operation units are started, a first operation unit and a second operation unit in the operation units receive a synchronous periodic signal sent by the communication management unit, and the first operation unit and the second operation unit run synchronously according to the synchronous periodic signal;
an information sending step: after receiving information through an external bus interface, the communication management unit sends the information to the first arithmetic unit and the second arithmetic unit through an Ethernet bus at the same time, and updates corresponding data variables in the first arithmetic unit and the second arithmetic unit according to the information;
and an operation result sending step: the first arithmetic unit and the second arithmetic unit send a cycle arithmetic result to the communication management unit through an SPI bus or the Ethernet bus at the same time of each synchronous cycle;
and (3) comparing results: after receiving the cycle operation result, the communication management unit stores the cycle operation result into a corresponding data segment according to a cycle number accumulated value, compares the cycle operation results of the first operation unit and the second operation unit, outputs an externally output result through the external bus interface if the results are consistent in comparison, and records error data and prohibits the externally output of the current result if the results are inconsistent;
a signal resetting step: if the number of times of errors of the first arithmetic unit or the second arithmetic unit exceeds the upper limit, the communication management unit resets the first arithmetic unit and the second arithmetic unit simultaneously through a reset command signal and returns to the arithmetic unit starting step;
a power-off reset step: if the first operation unit and the second operation unit are unsuccessfully reset through the reset command signal, the first operation unit and the second operation unit are powered on again after being forced to be powered off through the fault management unit according to the state signal of the operation unit sent by the communication management unit, and the operation unit starting step is returned.
CN202210100327.0A 2022-01-27 2022-01-27 Functional safety chip and working method thereof Active CN114488897B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210100327.0A CN114488897B (en) 2022-01-27 2022-01-27 Functional safety chip and working method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210100327.0A CN114488897B (en) 2022-01-27 2022-01-27 Functional safety chip and working method thereof

Publications (2)

Publication Number Publication Date
CN114488897A true CN114488897A (en) 2022-05-13
CN114488897B CN114488897B (en) 2023-06-23

Family

ID=81476158

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210100327.0A Active CN114488897B (en) 2022-01-27 2022-01-27 Functional safety chip and working method thereof

Country Status (1)

Country Link
CN (1) CN114488897B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101276297A (en) * 2008-05-14 2008-10-01 北京星网锐捷网络技术有限公司 Processor system, equipment as well as fault handling method
JP2012150618A (en) * 2011-01-18 2012-08-09 Fuji Electric Co Ltd Safety control system
CN206021026U (en) * 2016-08-29 2017-03-15 中国船舶重工集团公司第七一六研究所 A kind of vehicle chassis ECU based on functional safety characteristic
CN106933145A (en) * 2017-03-09 2017-07-07 上海微小卫星工程中心 A kind of spaceborne processing system and its control operation method
CN107745743A (en) * 2017-09-30 2018-03-02 成都雅骏新能源汽车科技股份有限公司 A kind of Electric Power Steering Control System based on functional safety
CN108382324A (en) * 2018-01-18 2018-08-10 沈阳中科唯电子技术有限公司 A kind of low-power consumption entire car controller of integrated gateway function
CN209911778U (en) * 2019-04-23 2020-01-07 徐州威卡电子控制技术有限公司 Engineering machinery vehicle-mounted controller based on functional safety
CN112648084A (en) * 2020-12-11 2021-04-13 江苏大学 Dual-fuel engine controller based on function safety
CN112918518A (en) * 2021-03-19 2021-06-08 中车青岛四方车辆研究所有限公司 Vehicle-mounted lumped electronic control platform
CN113032325A (en) * 2021-03-09 2021-06-25 中车青岛四方车辆研究所有限公司 Processor board card, control method thereof, and storage medium

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101276297A (en) * 2008-05-14 2008-10-01 北京星网锐捷网络技术有限公司 Processor system, equipment as well as fault handling method
JP2012150618A (en) * 2011-01-18 2012-08-09 Fuji Electric Co Ltd Safety control system
CN206021026U (en) * 2016-08-29 2017-03-15 中国船舶重工集团公司第七一六研究所 A kind of vehicle chassis ECU based on functional safety characteristic
CN106933145A (en) * 2017-03-09 2017-07-07 上海微小卫星工程中心 A kind of spaceborne processing system and its control operation method
CN107745743A (en) * 2017-09-30 2018-03-02 成都雅骏新能源汽车科技股份有限公司 A kind of Electric Power Steering Control System based on functional safety
CN108382324A (en) * 2018-01-18 2018-08-10 沈阳中科唯电子技术有限公司 A kind of low-power consumption entire car controller of integrated gateway function
CN209911778U (en) * 2019-04-23 2020-01-07 徐州威卡电子控制技术有限公司 Engineering machinery vehicle-mounted controller based on functional safety
CN112648084A (en) * 2020-12-11 2021-04-13 江苏大学 Dual-fuel engine controller based on function safety
CN113032325A (en) * 2021-03-09 2021-06-25 中车青岛四方车辆研究所有限公司 Processor board card, control method thereof, and storage medium
CN112918518A (en) * 2021-03-19 2021-06-08 中车青岛四方车辆研究所有限公司 Vehicle-mounted lumped electronic control platform

Also Published As

Publication number Publication date
CN114488897B (en) 2023-06-23

Similar Documents

Publication Publication Date Title
US4455601A (en) Cross checking among service processors in a multiprocessor system
CN103425553B (en) Duplicated hot-standby system and method for detecting faults of duplicated hot-standby system
US20070128895A1 (en) Redundant automation system for controlling a techinical device, and method for operating such an automation system
CN112667450B (en) Dynamically configurable fault-tolerant system with multi-core processor
CN110293999B (en) Safe LKJ brake control mode
WO2020143243A1 (en) Dual-system hot backup switching method and system applied to automatic running system of train
CN112714173B (en) Platform door controller cloud platform system and control method
CN106933145B (en) A kind of spaceborne processing system and its control operation method
CN101916068A (en) Computer control system based on 2-out-of-2 structure and implementation method thereof
CN114355760A (en) Main control station and hot standby redundancy control method thereof
CN113791937B (en) Data synchronous redundancy system and control method thereof
CN112256496B (en) PCIE link redundancy design method, device terminal and storage medium
CN111984471B (en) Cabinet power BMC redundancy management system and method
CN114488897A (en) Functional security chip and working method thereof
US5115511A (en) Arrangement for loading the parameters into active modules in a computer system
CN111858148A (en) PCIE Switch chip configuration file recovery system and method
CN116048192A (en) Clock backup circuit, control method, system, device, medium and server
CN211349235U (en) BIOS redundant Feiteng server mainboard
CN114528242A (en) Computer platform dual-system synchronization method, device, equipment and medium
CN115276922B (en) Main and standby state control method suitable for all-electronic system
CN113867648B (en) Server storage subsystem and control method thereof
CN116775366B (en) Controller, processor switching method, electronic device, and storage medium
Akita et al. Safety and fault-tolerance in computer-controlled railway signalling systems
CN118011974A (en) Control module applied to DCS system and control method thereof
CN115168083A (en) Functional board card, data verification method, data verification device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant