Classifications

• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F11/00—Error detection; Error correction; Monitoring
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F11/00—Error detection; Error correction; Monitoring
  • G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
  • G06F11/16—Error detection or correction of the data by redundancy in hardware
  • G06F11/18—Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
  • G06F11/183—Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits by voting, the voting not being performed by the redundant components
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F11/00—Error detection; Error correction; Monitoring
  • G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
  • G06F11/16—Error detection or correction of the data by redundancy in hardware
  • G06F11/1629—Error detection by comparing the output of redundant processing systems
  • G06F11/1641—Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F11/00—Error detection; Error correction; Monitoring
  • G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
  • G06F11/16—Error detection or correction of the data by redundancy in hardware
  • G06F11/1695—Error detection or correction of the data by redundancy in hardware which are operating with time diversity
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F15/00—Digital computers in general; Data processing equipment in general
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F9/00—Arrangements for program control, e.g. control units
  • G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
  • G06F9/30—Arrangements for executing machine instructions, e.g. instruction decode
  • G06F9/30181—Instruction operation extension or modification
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F9/00—Arrangements for program control, e.g. control units
  • G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
  • G06F9/30—Arrangements for executing machine instructions, e.g. instruction decode
  • G06F9/30181—Instruction operation extension or modification
  • G06F9/30189—Instruction operation extension or modification according to execution mode, e.g. mode flag
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F9/00—Arrangements for program control, e.g. control units
  • G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
  • G06F9/30—Arrangements for executing machine instructions, e.g. instruction decode
  • G06F9/38—Concurrent instruction execution, e.g. pipeline or look ahead
  • G06F9/3836—Instruction issuing, e.g. dynamic instruction scheduling or out of order instruction execution
  • G06F9/3851—Instruction issuing, e.g. dynamic instruction scheduling or out of order instruction execution from multiple instruction streams, e.g. multistreaming
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F11/00—Error detection; Error correction; Monitoring
  • G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
  • G06F11/16—Error detection or correction of the data by redundancy in hardware
  • G06F11/18—Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
  • G06F11/187—Voting techniques
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F2201/00—Indexing scheme relating to error detection, to error correction, and to monitoring
  • G06F2201/845—Systems in which the redundancy can be transformed in increased performance

Definitions

• a method for detecting errors in a comparison mode is described in Wo 01/46806 A1.
• the data is processed and compared in parallel in a processing unit with two processing units ALUs.
• both ALUs work there independently of each other until the faulty data have been removed and a repeated (partially repeated) redundant processing can be carried out. This presupposes that both ALUs work synchronously with each other and that the results can be compared in exact time.
• Voting systems are known from the aircraft industry, which can use inputs from standard computers and process them safely by a majority decision and thus trigger safety-relevant actions.
• a system that combines inter-processing unit and inter-control-unit communication is the FME system, which maintains the system still operational by a high degree of redundancy even in the case of single or even multiple faults and by the DASA for Space has been developed (Urban, et al: A survivable avionics System for Space applications, Int. Symposium on Fault-tolerant
• a method for switching and data comparison is used in a computer system having at least three processing units, wherein switching means are provided and switched between at least two operating modes, wherein comparison means are provided and a first operating mode a comparison mode and a second mode of operation corresponds to a performance mode, characterized in that in the comparison mode a voting, at least as a 2 out of 3 rating, is provided, wherein control means are provided by which the voting is adjustable.
• control means at least
• Memory means contain or are designed as such and in the memory means an identifier for setting the Votings, in particular a bit, is stored.
• a method is used in which an error detection and an error localization is carried out by the voting and corresponding error states are stored.
• a method is used in which the error status is stored next to the identifier in the at least one memory means.
• a method is used in which the identifier is written by at least one processing unit and the error status by the comparison unit and / or the switching unit in the storage means.
• a method is used in which a computer system internal source, in particular a processing unit specifies the identifier for setting the voting.
• a method is used in which an external source to the computer system specifies the identifier for setting the voting.
• a method is used in which a plurality of sources for specifying the
• a device for switching and for data comparison is used in a computer system having at least three processing units, wherein switching means are provided and switched between at least two operating modes, wherein comparing means are provided and a first operating mode corresponds to a comparison mode and a second operating mode to a performance mode, characterized in that in the comparison mode a voting, at least as a 2 out of 3 rating, is provided, wherein control means are contained by which the voting is settable.
• control means at least
• Memory means contain or are designed as such and in the memory means an identifier for setting the Votings, in particular a bit, is stored.
• a device in which the storage means is at least one control register.
• a device in which at least one input buffer memory is provided, which is designed such that the data is buffered before entry into the comparison means.
• control means are provided as a source for setting the voting external to the computer system.
• control means are provided as a source for setting the voting internally to the computer system.
• FIG. 1 shows the basic function of a switching and comparison unit for two processing units
• FIG. 1a shows a generalized representation of a comparator
• FIG. 1c shows an expanded representation of a comparator
• Figure Ib shows a generalized representation of a switching and comparison unit
• FIG. 2 shows a more detailed representation of the switching and comparison unit for two processing units
• FIG. 3 shows a possible realization of a switching and comparison unit for two
• FIG. 4 shows a more detailed representation of a switching and comparison unit for more than two processing units
• FIG. 5 shows a possible implementation of a switching and comparison unit for more than two processing units
• FIG. 6 shows a possible realization of a control register
• FIG. 7 shows a voting unit for central voting
• FIG. 8 shows a voting unit for decentralized voting
• FIG. 9 shows a synchronization element
• Figure 10 shows a handshake interface
• FIG. 11 shows a differential amplifier
• FIG. 12 shows a comparator for positive voltage difference
• FIG. 13 shows a comparator for negative voltage difference
• Figure 14 shows a circuit for storing an error
• Figure 15 shows an analog-to-digital converter with output registers
• FIG. 16 shows the representation of a digitally converted analog value with kung
• FIG. 17 shows the representation of a digital value as a digital word with digital bit
• An execution unit or processing unit may refer in the following to a processor / core / CPU as well as an FPU (floating point unit), DSP (digital signal processor), coprocessor or ALU (Arithmetic Logical Unit).
• FPU floating point unit
• DSP digital signal processor
• ALU Arimetic Logical Unit
• a system of two or more processing units is considered. Basically, in safety-relevant systems, it is possible to use such resources either to increase performance, by providing the various processing units as possible with different tasks. Alternatively, you can also use some of the resources redundantly to each other, by using the same
• Task supplies and detects unequal results on an error.
• several modes are conceivable.
• the two modes “comparison” and "performance” exist as described above.
• the pure performance mode in which all three processing units work in parallel
• the pure comparison mode in which all three processing units are redundantly calculated and compared
• one can also implement a 2out3 voting mode in which all three Processing units redundant computing and a majority selection is made.
• a mixed mode in which, for example, two of the processing units redundant to each other and calculate the Results are compared while the third processing unit is processing a different, parallel task.
• a four or more processing unit system obviously further combinations are conceivable.
• each processing unit should be able to operate with its own clock, i.
• the execution of identical tasks for the purpose of comparison can also work asynchronously to each other.
• This object is achieved in that a universal, widely deployable IP is created, which allows switching of the operating modes (eg comparison, performance or voting mode) at arbitrary times without previously switching off the processing units and possibly the comparison or the voting of each other manages asynchronous data streams.
• This IP may be implemented as a chip, or it may be integrated with one or more processing units on a chip. Further, it is not a prerequisite that this chip consists of only one piece of silicon, it is also quite possible that this is realized from separate components.
• a WAIT signal is usually provided. If an execution unit does not have a wait signal, it can also be synchronized via an interrupt.
• the synchronization signal (for example, M 140 in FIG. 2) is not routed to a wait input, but is set to an interrupt.
• This interrupt must have a sufficiently high priority over the processing program and also against other interrupts to interrupt normal operation.
• the associated interrupt routine only executes a certain number of NOPs (empty commands with no effect on data) before jumping back into the interrupted program, thereby delaying further processing of the processing program. If necessary, the usual memory operations at the beginning and at the end must be carried out in the interrupt routine in order not to impair the normal program execution by the interrupt.
• the advantage of the invention is that any commercially available standard structures can be used, because no additional signals are needed (no interference with the hardware structure) and any output signals of these components can be monitored, which are for example used directly to drive actuators.
• Another advantage is that not all data has to be compared in a comparison or voting mode. Only the data to be compared or voted are synchronized with each other in the switching and comparison unit. The selection of these data is variable (programmable) by the targeted response of the switching and comparison unit and can be adapted to the respective processing unit architecture as well as to the application. Thus, the use of diverse ⁇ C or software parts is easily possible, since only results that can reasonably be compared, actually compared. Further, any access to a (e.g., external) memory can be monitored, or even just driving external I / O modules. Internal signals can be checked via the software-controlled additional output to the switching module on the external data and / or address bus.
• All control signals for the comparison operations are generated in the preferably programmable switching and voting unit and the comparison also takes place there.
• the processing units eg, processors
• whose outputs are to be compared with each other may use the same program, a duplicate program (which additionally allows recognition of memory access errors), or a diversified program for detecting software errors.
• Some or even all modules of the switching and comparison unit can be integrated on a chip, be housed on a common board or spatially separated. In the latter case, the data and control signals are exchanged with each other via suitable bus systems. On-site registers are then described via the bus system and control the operations by means of the data and / or addresses / control signals stored therein.
• FIG. 1 shows the basic function of the switching unit BO1 according to the invention for the
• the switching unit includes at least one control register B 15 having at least one binary-character (bit) memory element B16 that switches the mode of the comparison unit.
• B16 can take at least the two values 0 and 1 and can be detected both by the signals B20 or B21 of the processing units or by internal processes of the
• Switching unit set or reset.
• the changeover unit operates in comparison mode. In this mode, all incoming data signals from B20 are compared with the data signals from B21, provided certain predeterminable comparison conditions of the control and / or
• Error signal B17 is set. If only the comparison condition from either the signals B20 or B21 is fulfilled, then the corresponding synchronization signal B40 or B41 is set.
• This signal causes in the corresponding processing unit BIO or BI l stopping the processing, and thus preventing the forwarding of the corresponding Signals that could not previously be compared.
• the signal B40 or B41 remains set until the corresponding comparison condition of the respective other processing unit B21 or B20 is fulfilled. In this case, the comparison is carried out and the corresponding synchronization signal is reset.
• Processing unit does not provide comparative data rather than the other processing unit.
• the comparison component M500 can receive two input signals M510 and M511. It then compares these to equality, in the context presented here, preferably in the sense of a bit-wise equality. If it detects inequality, the error signal M530 is activated and the signal M520 is deactivated. In the same case, the value of the input signals M510, M511 is given to the output signal M520 and the error signal M530 is not active, ie it signals the 'Guf' state. From this basic system, a variety of advanced embodiments are conceivable. First, the component M500 can be executed as a so-called TSC component (totally seif checking).
• the error signal M530 is routed to at least two lines ("dual rail") to the outside, and it is ensured by internal design and error detection measures that in any possible error case of the comparison component this signal is correct or recognizable incorrect preferred embodiment in the use of the system according to the invention is to use such a TSC comparator.
• a second class of embodiments can be distinguished as to what degree of synchronicity the two inputs M510, M511 (or M610, M611) must have.
• One possible variant is characterized by intermittent synchronicity, i. the comparison of the data can be done in one cycle.
• a synchronous delay element is used with a fixed phase offset between the inputs, which delays the corresponding signals, for example, by integer or half clock periods.
• phase offset is useful to avoid common cause errors, i. these are errors that can affect multiple processing units simultaneously.
• component M640 which delays the previous input by the phase offset, is therefore inserted beyond the components in FIG.
• this delay element is accommodated in the comparator to use this element only in the comparison mode.
• intermediate buffers can be placed in the input chain.
• these are designed as FIFO memory. If such a buffer exists, one can also tolerate asynchronisms up to the maximum depth of the buffer. In this case, an error signal must be output even if the buffer overflows. Further, in the comparator embodiments, it can be distinguished according to how the signal M520 (or M620) is generated.
• a preferred embodiment is the input signals
• M510, M511 or M610, M611
• M510, M511 or M610, M611
• the signals can also be generated from internal comparator buffers.
• a final class of embodiments may be distinguished as to how many inputs are present on the comparator and how the comparator should react. With three inputs, a majority voting, a comparison of all three or a comparison of only two signals can be made. With four or more inputs, correspondingly more variants are conceivable. These variants are preferably to be coupled with the various operating modes of the overall system.
• FIG. 1b a generalized representation of a switching and comparison unit is shown in FIG. 1b, as it is to be preferably used.
• n signals N140,..., N14n go to the switching and comparison component N100. This can generate up to n output signals N160, ..., N16n from these input signals.
• the "pure performance mode” all signals N14i are directed to the corresponding output signals N16i.
• the "pure comparison mode” all signals are transmitted
• the logical component of a switching logic Nl 10 is included in this figure.
• the component does not have to exist as such, it is crucial that its function is present. It first determines how many output signals there are.
• the switching logic NI lO determines which of the input signals contribute to which of the output signals. An input signal can contribute to exactly one output signal.
• a function is defined by the switching logic which assigns an element of the set ⁇ N 160, ..., N 16n ⁇ to each element of the set ⁇ N 140, ..., N 14n ⁇ .
• the function of the processing logic N120 determines to which of the outputs N16i the form in which the inputs contribute to this output signal. Also, this component does not have to exist as a separate component. It is again crucial that the functions described are implemented in the system. To exemplify the different
• a first possibility is to compare all signals and to detect an error in the presence of at least two different values, which can be optionally signaled.
• a second possibility is to make a k out of m selection (k> m / 2). This can be realized by using comparators.
• an error signal can be generated if one of the signals is detected as deviating.
• One possibly different error signal can be generated if all three signals are different.
• a third option is to apply these values to an algorithm. This may be, for example, the formation of an average, a median, or the use of a Fault Tolerant Algorithm (FTA). Such an FTA is based on extreme values of the
• This averaging can be done over the entire set of residual values, or preferably over a subset that is easy to form in HW. In this case, it is not always necessary to actually compare the values. For averaging, for example, you just have to add and divide FTM, FTA or
• an error signal can optionally also be output at sufficiently large extreme values
• comparison operations For the sake of brevity.
• the task of the processing logic is thus to determine the exact shape of the comparison operation for each output signal - and thus also for the associated input signals.
• the combination of the information of the switching logic NI 10 (ie the above mentioned function) and the processing logic (ie the determination of the comparison operation per output signal, ie per function value) is the mode information and sets the mode.
• this information is multivalued, ie not representable only via a logical bit. Not all the theoretically conceivable modes are useful in a given implementation, it is preferable to restrict the number of modes allowed.
• Switching from a performance mode to a comparison mode is characterized in the general case by the fact that execution units that are displayed in the performance mode on different outputs are mapped in the compare mode to the same output. This is preferably realized in that there is a subsystem of execution units in which in the performance mode all input signals N14i to be considered in the subsystem are switched directly to corresponding output signals N16i, while in the comparison mode they are all mapped to one output. Alternatively, such switching can also be realized by changing pairings.
• the switching is triggered, for example, by the execution of special switching instructions, special instruction sequences, explicitly marked instructions or by the access to specific addresses by at least one of the execution units of the multiprocessor system.
• FIG. 2 shows a detailed two-processor or two ⁇ C system with a switching and comparison unit M100 according to the invention, in which optionally also different signals can be dispensed with. It consists of two processing units (Ml 10, Ml I l) and a switching and comparison unit M100. From each processing unit, data signals (M120, M121) and address / control signals (M130, M131) go to the switching unit, and each processing unit optionally also gets from the
• Switching unit data (M150, M151) and control signals (M140, M141) back.
• the unit M100 outputs data (M160, M161) and status information M169 and receives signals such as data (M170, M171) and control signals M179, which can also be forwarded to the processing units.
• the operating mode of the unit M 100 can also be set independently of the processing units; Likewise, the processors can set the operating mode via the outputs M120, M121 (eg data bus) and the control and address signals M130, M131 (eg Write) in the unit M100 - eg performance mode (without comparison) or comparison mode (with comparison of the signals M 120 , M 121 and / or the signals M 170, Ml 71, coming from eg peripheral units). In the performance mode, the outputs M120, M121 are forwarded to the outputs M 160, M161 if necessary in connection with control signals, and conversely the inputs M170, M171 to M150, M151.
• the outputs M120, M121 eg data bus
• the control and address signals M130, M131 eg Write
• the outputs M120, M121 are forwarded to the outputs M 160, M161 if necessary in connection with control signals, and conversely the inputs M170, M171 to M150, M151
• the outputs are compared and advantageously forwarded to M 160, M161 only in the error-free case, where either both outputs are used, or only one of them.
• a check of input data M 170, M171 is possible, which are forwarded to the processing units.
• an error signal is generated and signaled to the outside (eg by means of double-rail signals: fail-safe) (part of status information M169).
• the status M169 can also indicate the operating mode or information about the time offset of the signals Execution units include.
• the error signal is also activated.
• the outputs M 160, M161 can be disabled (fail silent behavior). This can affect both digital and analog signals.
• These output driver stages can also be the non-cached (not cached)
• Output signals M120, M121 of a processing unit with the possibility of subsequent error detection. This is tolerated by a safety relevant system as long as the fault tolerance time is not exceeded, i. the time that a (sluggish) system does not yet catastrophically react to errors and therefore there is still the possibility of correction.
• output signals M 180, Ml 81 which are not led to the UVE and internal signals of a processing unit can be compared, at least with respect to their calculated value, by outputting this value on the outputs M120, M121 for the purpose of comparison. The same can be done with input signals M 190, M 191, which do not come via M100.
• FIG. 3 shows a possible implementation of the switching and comparison unit M100 from FIG. 2 in detail.
• the unit M100 contains a control register M200 with at least one bit representing the mode (performance / comparison) and a status register
• M220 with at least one bit representing the error state in comparison mode.
• the wait and interrupt signals are controlled by further bits in the control register for both processing units. It may also be necessary to differentiate between different interrupts, for example for synchronization purposes, for preparing for the operating mode switches and for error handling.
• control registers such as M240, which contains the maximum permitted time difference (in number of clock periods) between the processing units for controlling an internal or external watchdog, and M241 with the time difference value (clock cycle number), from which the fastest processor is assigned by means of WAIT or interrupt signals should be temporarily stopped or delayed, for example, to prevent overflow of data registers.
• status register M220 In addition to the error bit also stored, how large the clock offset between the processing units is currently. For this purpose, e.g. at least one timer M230 always started by a processing unit when a (via address and
• Control signals e.g. particular address value
• the value of the timer is always transferred to the status register when the corresponding data value is provided by the second processing unit.
• the timer is preferably set so that even with different program sequences according to the WCET (worst case execution time) guaranteed all
• Processing units must supply a date. If the preset value is exceeded by the timer, an error signal is output.
• the outputs M120, M121 of the processing units are to be stored in M100, in particular for the comparison mode in a buffer memory M250, M251, as far as they are digital data and can not be provided in a clock-accurate manner.
• this can be
• Memory be executed as a FIFO. If this memory has only a depth of 1 (register), then e.g. Wait signals are used to delay the output of further values until the comparison has been made in order to avoid data loss.
• a comparison unit M210 which compares the digital data from the input memories M250, M251, the direct inputs M120, M121 or M170, M171.
• This comparison unit may also compare serial digital data (e.g., PWM signals), e.g. in the memory unit M250, M251 can receive the serial data and convert it into parallel data, which are then compared in M210.
• asynchronous digital input signals M 170, M 171 can be synchronized via additional memory units M270, M271.
• PWM signals e.g., PWM signals
• Input signals 120, 121 are preferably buffered in a FIFO. Switching between performance and compare modes is accomplished by setting or resetting the mode bit in the control register, causing e.g. corresponding interrupts are caused in the two processing units. The comparison itself is provided by the provided data M 120, M121 and the associated addresses and control signals
• M130, M131 everanlasst.
• certain signals from M120 and M130 or M121 and M131 can act as an identifier indicating whether a comparison of the assigned data is to take place.
• This is a further embodiment compared to the simple switching in FIG. 1.
• different preparations are advantageously to be made so that identical initial conditions are created for both processing units. If the processing unit is finished with it, the processor-specific ready bit is set in the control register and the processing unit remains in the wait state until the other processing unit indicates its readiness by its ready bit (see also description of the control register in FIG. 6).
• analogue data can also be compared with one another in a suitable analog comparison unit M211 (analogue compare unit).
• analogue compare unit provides for storage of the data digitized by an ADC implemented there (see further comments on FIGS. 12 to 14).
• Synchronicity can be achieved by comparing the digital outputs of the processing units (data, address and control signals) as described above and maintaining the processing unit too fast.
• the digital signals which are processed as the source of the analog signals in the processing unit can also be fed via the outputs M 120, M121 to the unit M100, although these signals are otherwise not needed externally.
• This redundant comparison in addition to the comparison of the analog signals ensures that an error in the calculation can be detected earlier and also facilitates the synchronization of the processing units.
• the comparison of the analog signals causes additional error detection for the DAC (digital to analog converter) of the processing unit. In other structures of the DCSL architectures such a possibility does not exist. For analog input signals from the peripheral units, a comparison is also possible.
• FIG. 4 shows a multiprocessor system with at least n + 1 processing units, wherein each of these components may in turn also consist of several sub-processing units (CPUs, ALUs, DSPs with corresponding additional components).
• the signals of these processing units are also connected to a switching and comparison unit, as described in the two-person system of Figure 2. All components and signals in this figure therefore have the same meaning in content as the corresponding components and signals in FIG. 2.
• the switching and comparison unit M300 can distinguish between the performance mode (all processing units execute different tasks), different comparison modes (FIG. the
• FIG. 5 shows a possible implementation of a switching unit for a multiprocessor system with n + 1 processing units.
• at least one control register M44i is provided in the control unit of the switching and comparison module.
• a preferred set of control registers is shown and described in detail in FIG. M44i corresponds to the control register Ci.
• Various embodiments in the control register are conceivable. It may be described by appropriate bit combinations whether to use an error detection or fault tolerance pattern. Depending on the effort involved in the M300 unit, it is also possible to specify which type of fault tolerance pattern (2 out of 3, median, 2 out of 4, 3 out of 4, FTA, FTM ...) you want to use. Next you can make it configurable, which output one goes through. One can then also form embodiments, which components for which date can influence this configuration.
• the output signals of the processing units involved are then compared with one another in the switching unit. Since the signals are not necessarily processed clock-accurate, a caching of the data is required. In this case, data can also be compared in the switching unit, which are given with a larger time difference from the various processing units to the switching unit.
• a temporary memory eg designed as FIFO memory: first in - out-of-memory or else in a different buffer form
• a plurality of data can initially also be received by one processing unit, while other processing units do not yet receive any data provide.
• a measure of the synchronicity of the two processing units is the fill level of the FIFO memory.
• the processing unit furthest advanced in the processing is temporarily stopped either by an existing WAIT signal or by suitable interrupt routines, in order to wait for the slower processing units progressing in the processing.
• the monitoring should be extended to all externally available signals of a processing unit; this also includes analog signals or PWM signals. In the switching unit structures are provided to allow a comparison of such signals. In addition, it is proposed to specify a maximum time deviation between the data to be compared and to monitor it by means of at least one timer.
• control register is required for each of these processing units or processing units.
• FIG. 1 A specific embodiment of these control registers is explained in FIG.
• the (n + 1) lower bits B500x to B50nx of the respective control register Cx are uniquely assigned to the n + 1 processors / processing units.
• the bit B514x of the control register Cx switches between compare / vote on the one hand and parallel work on the other hand and corresponds to the value of B16 of Figure 1.
• the bit B513x indicates whether the processing unit concerned is ready for comparison, bit B512x controls this
• Synchronization signal WAIT or INTERRUPT
• bit B511x may be used to prepare the corresponding processing unit x for the comparison by an interrupt.
• bit B5110x controls an interrupt that returns the processing unit to parallel mode.
• B50ik and B50kk of the control register Ck are set to one (0 ⁇ i, k ⁇ n).
• a special type of vote or even a majority comparison can be determined, as already enumerated in the explanation for picture M4.
• a one in B50ii of the control register i (0 ⁇ i, ⁇ n) indicates that the output i of the comparison unit should be active. Carry all control registers Ci only in the appropriate
• the bit B514i in the control register Ci is set to activate the comparison or the voting. This bit may be set by the processing unit itself as well as by the switching and comparing unit depending on certain system conditions, timing conditions or other conditions (such as accessing particular memory areas, errors or implausibilities). Become the bits with B514i
• the UVE automatically sets bits B51 Ii and B51 Ik, thereby triggering interrupts in the processing units i and k These interrupts cause the processing units to jump to a particular program location, to initiate certain initialization steps to the comparison mode and then output a feedback (Ready) to the switching and comparison unit
• Ready signal causes an automatic reset of the interrupt bit B511i in the respective control register Ci of the processing unit and at the same time the setting of the wait bit B512i. If all wait bits of the processing units involved are set, they are reset by the switchover and compare unit simultaneously. The processing units then start to process the program parts to be monitored. In an advantageous
• Embodiment is prevented writing to a control register Ci with set bit B514i by locking (HW or SW). This makes it sensible that the configuration of the comparison can not be changed during execution.
• a change in the control register Ci is possible only after resetting the bit B514i. This reset causes interrupts in the respective processing units by setting the bits B510x in the control registers of all involved processing units to transition to normal mode (parallel operation).
• Status information is. For example, it may not happen that one processing unit is used concurrently for multiple independent comparison or voting processes, because then the synchronization is not guaranteed. It is conceivable, however, to compare several processing units without an output of the data signals, but only for the purpose of generating an error signal in the event of inequality.
• the entry is to be made similar in several or all control registers of the processing units involved in a comparison or voting, i. the corresponding bits of these processing units are to be set there identically, with the possible exception of their own bit i, which controls the output.
• FIG. 7 shows the voting unit Q100 for central voting. Voting can be carried out both by means of suitable hardware and by software.
• the voting algorithm (for example, bit-precise voting) is to be specified.
• the voting unit Q100 receives several signals Q1, Q1, Q1, and Q112, and from these forms an output signal Q 120, which is produced by voting (for example, an m out of n selection).
• the error bit is set in the respective control register.
• the date of the processing unit concerned is ignored; in a simple comparison the output is locked. Any data not available in time before the programmed time expires will be treated as error.
• the resetting of the error bits is system-dependent and, if necessary, enables reintegration of the respective processing unit
• a decentralized voting in conjunction with a suitable bus system is possible.
• a decentralized voting unit Q200 is controlled by a control unit Q210. It is connected via bus systems Q221, Q222
• the reset of the comparison and voting bits in a control register with active output bit causes an interrupt in the participating processing units, which are then returned to a parallel operation.
• each processing unit have a different entry address, which is managed separately.
• the program execution can also take place from the same program memory.
• the accesses are separate and usually to different addresses. If the security-relevant part is small in comparison to the parallel modes, it must be weighed whether a separate program memory with duplicated security part may be less expensive.
• the data memory can also be shared in performance mode.
• the accesses are then successively, for example by means of the AHB / ABP bus.
• a special feature is that the error bits have to be evaluated by the system. In order to ensure a safe shutdown in the event of a fault, the safety-relevant signals must be implemented redundantly in a suitable form (for example, in the 1-out-2 code).
• Such a synchronization stage M800 can be developed as a FIFO in order to store a plurality of data (see FIG. 9).
• the synchronization of the data alone is not sufficient, but it is also the sync signal of the data to synchronize with the receive clock.
• a handshake interface is required (FIG. 10) that ensures acceptance by request signals M850 and acknowledgment signals M880.
• Such an interface is necessary whenever the clock domain changes to ensure secure transmission of data from one clock domain to another.
• the data M820 from the area Q305 are provided synchronized with the clock M830 in the register cells M800 and a write request signal M850 indicates the provision of the data.
• This write request signal is taken from the area Q306 with the clock M860 in a memory element M801 and as a synchronized signal M870 indicates the provision of the data.
• the synchronized data M840 is then accepted and in the process an acknowledgment signal M880 is sent back.
• This confirmation signal is synchronized by the clock M830 in another memory element M801 to the signal M890 and thus the provision of the data is terminated. New data can then be written to the relevant register.
• Such interfaces are state of the art and known and can work in special embodiments by an additional coding very fast, without having to wait for an acknowledgment signal.
• the memory elements M800 are designed as FIFO memories (first-in, first-out).
• the circuits for comparing analog signals of Figure 11 to Figure 14 assume that the processing units that provide the analog signals to be compared, are synchronized with each other so that the comparison makes sense.
• the synchronization can be achieved by the corresponding signals B40 and B41 of FIG.
• FIG. 11 shows a differential amplifier. With the help of this element two voltages can be compared.
• BlOO is an operational amplifier, to the negative input BlOl a signal B 141 is connected, which is connected via a resistor BI lO with the value R 1n to the input signal BlI l, at which the voltage value Vi is present.
• the positive input B 102 is connected to the signal B 142, which is connected via the resistor B 120 with the value R 1n to the input B 121, to which the voltage value V 2 is applied.
• the output B 103 of this operational amplifier is connected to the output signal B 190 having the voltage value V 0Ut .
• the signal B190 is via the resistor B140 with the value R f with the signal
• V 0nJ R f Z R j n (V 2 - V 1 ).
• the analog ground V agn ( j is a voltage between the operating voltage and the digital ground, usually the mean potential.) If the two analog input voltages Vi and V 2 are only slightly different, so will the Output voltage V out have only a small difference V ⁇ ji ff to the analog ground (positive or negative).
• the input signal B221 is connected via the resistor B150 with the value Ri to the signal B242, which is connected to the positive input B202 of the operational amplifier B200.
• the signal B242 is connected via the resistor B 160 with the value R 2 to the signal B231, which is used as the digital reference potential V dgng .
• the negative input B201 of the operational amplifier is connected to the input signal 211, which carries the voltage value of a reference voltage V ref .
• B200 operational amplifier is connected to the output signal B290 carrying ben the voltage value V O.
• Resistor B 180 connected to the value R4 to the signal B331, which also carries the digital reference potential V dgnd .
• the positive input B302 of the operational amplifier B300 is connected to the input signal B311 which carries voltage value of a reference voltage V ref .
• the output B303 of the operational amplifier B300 is connected to the output signal B390, which is the voltage value
• V ref (V agnd + V 1U a) * R 2 / (R 1 + R 2 ) (2)
• V ref (V agnd - V ⁇ * R 4 / (R 3 + R 4 ) (3)
• V d i ff ((V 2max - V lmin ) * R f / R ta ) - V agnd (4)
• V 2max denotes the maximum tolerated voltage value of V 2 at signal B 121 and Vi m i n the minimum tolerated voltage value of Vi at signal Bl I l.
• the reference voltage source can be provided externally, or realized by an internally realized bandgap (temperature-compensated and operating voltage-independent reference voltage).
• the maximum tolerated difference V d i ff is determined from the maximum positive deviation V 2max and the associated maximum negative deviation Vi n J n , ie (V 2max - Vi n J n ) is the maximum tolerated Voltage deviation of redundant analog signals to each other to be compared.
• the synchronicity is given, for example, when the ready signal in the control register of the corresponding processing units is active, or certain digital signals are sent to the UVE, which signal a particular state of the relevant analog signal and thus also the value to be compared in the sense of an identifier.
• Error stores is shown in Figure 14.
• the two input signals B390 and B290 are linked to the output signal B411 via a NOR circuit (logical OR circuit with subsequent inversion) B410.
• This signal B411 is combined with the input signal B421 in another NOR element B420 to the output signal B421.
• This signal B421 is input in an OR circuit B430 with the signal B401 to
• the D flip-flop B400 stores with the clock B403 is a 1 if one of the two voltage values V, thus contributes positively bottom or V at the top on the signals B390 or B290 as a digital signal the value is high, the signal B421 is not active and no reset signal B402 is present.
• Synchronization of the processing units takes place, in which no comparison is to be made.
• the signal B402 resets a previous error and therefore allows a new comparison.
• Figure 15 shows an ADC.
• this ADC can be implemented using the various known conversion methods. For example, you can choose the principle of successive approximation, where you get the analog signal with a generated signal from a Digital-to-Analog Converter (DAC).
• DAC Digital-to-Analog Converter
• a comparator compares the digital input bits of the DAC systematically from MSB (most significant bit) to LSB (least significant bit) to high and then resets exactly when the DAC's analog output signal goes high higher value than the analog input signal (the signal to be converted).
• the DAC controls with its digital bits from the LSB to the MSB either
• Resistors or capacitances with the weights 1, 2, 4, 8, 16, ... in such a way that the setting of the next higher bit always has twice the effect on the analog value as the previous one. After all bits have been set and, if necessary, reset again, the value of the digital word corresponds to the digital representation of the analog input signal. For higher speed requirements, continuous data streams can also be used
• Converter can be used, which continuously processes the analog signal and outputs a serial digital signal, which approximates this analog data stream through the serial bit sequence.
• the digital word is here represented by the bit sequence stored in a shift register.
• transducers presuppose that changes in the analog signal are constantly made during the conversion period because they can not process constant values.
• converters can be used according to the counting principle, for example, by means of the input voltage or the input current cause a corresponding constant charging or discharging a capacitor connected to an integrator. The time required for this is measured and put into relation to the time in the opposite direction to the charge or charge of the same capacitor
• the ADC B600 of FIG. 15 is controlled by a trigger signal B602, which is typically an output signal of the processor providing the analog signal and optionally an identifier B603 which provides information about the type of analog signal being provided to distinguish it from allow multiple analog signals.
• Trigger signal B602 the converted analog word is taken into memory area B640 as a digital value in a register B610 and optionally together with the identifier B603, which is stored in B620 and possibly an additional signal B604 (which is 1 for the identification of an analogernwert), in the Memory B630 is stored.
• FIG. 17 shows a variant of a digital value stored in the same memory area.
• the digital value itself is stored, in B820 an optiona option is provided which, for example, indicates whether the digital value is to be compared at all or whether it may also contain further conditions for the comparison.
• the value 0 is then stored to indicate that it is a digital value.
• the sequence of the storage and possibly the A bit (B730 or B830) as well as the identifier B720 or B820 in conjunction with the converted digital value B710 or the digital value B810 are checked.
• the comparison is then event-controlled: whenever a value of a processor is transmitted to the UVE, it is checked whether the other participating processors have already provided such a value. If this is not the case, the value in the corresponding FIFO or
• the comparison is carried out directly, in which case the FIFO can serve as a memory. For example, a comparison is always completed if the FIFOs involved are not empty. If there are more than two processors or comparison signals involved, it can be determined by a voting whether all signals are allowed to be distributed (fail silent behavior) or, if necessary, only by an error signal of the

Landscapes

• Engineering & Computer Science (AREA)
• Theoretical Computer Science (AREA)
• Physics & Mathematics (AREA)
• General Engineering & Computer Science (AREA)
• General Physics & Mathematics (AREA)
• Software Systems (AREA)
• Quality & Reliability (AREA)
• Multimedia (AREA)
• Computer Hardware Design (AREA)
• Hardware Redundancy (AREA)

Applications Claiming Priority (7)

Publications (1)

Family

ID=35660482

Family Applications (1)

Country Status (6)

Families Citing this family (11)

Family Cites Families (6)

• 2005
  • 2005-10-25 CN CNA2005800365495A patent/CN101048755A/zh active Pending
  • 2005-10-25 KR KR1020077008954A patent/KR20070083732A/ko not_active Application Discontinuation
  • 2005-10-25 JP JP2007537296A patent/JP2008518304A/ja active Pending
  • 2005-10-25 US US11/666,185 patent/US20080320340A1/en not_active Abandoned
  • 2005-10-25 EP EP05801271A patent/EP1810149A1/de not_active Ceased
  • 2005-10-25 CN CNA2005800365300A patent/CN101048752A/zh active Pending
  • 2005-10-25 WO PCT/EP2005/055512 patent/WO2006045785A1/de active Application Filing

Non-Patent Citations (1)

Also Published As

Similar Documents

Legal Events