GB2282250A - Processor watchdog circuit. - Google Patents

Processor watchdog circuit. Download PDF

Info

Publication number
GB2282250A
GB2282250A GB9415766A GB9415766A GB2282250A GB 2282250 A GB2282250 A GB 2282250A GB 9415766 A GB9415766 A GB 9415766A GB 9415766 A GB9415766 A GB 9415766A GB 2282250 A GB2282250 A GB 2282250A
Authority
GB
United Kingdom
Prior art keywords
processor
output
circuit
code
comparator means
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
GB9415766A
Other versions
GB9415766D0 (en
Inventor
Stephen John Priddey
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Smiths Group PLC
Original Assignee
Smiths Group PLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Smiths Group PLC filed Critical Smiths Group PLC
Publication of GB9415766D0 publication Critical patent/GB9415766D0/en
Publication of GB2282250A publication Critical patent/GB2282250A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0796Safety measures, i.e. ensuring safe condition in the event of error, e.g. for controlling element
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0751Error or fault detection not based on redundancy
    • G06F11/0754Error or fault detection not based on redundancy by exceeding limits
    • G06F11/0757Error or fault detection not based on redundancy by exceeding limits by exceeding a time limit, i.e. time-out, e.g. watchdogs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0751Error or fault detection not based on redundancy
    • G06F11/0763Error or fault detection not based on redundancy by bit configuration check, e.g. of formats or tags

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Hardware Redundancy (AREA)
  • Debugging And Monitoring (AREA)

Abstract

A watchdog circuit (3) for monitoring correct operation of a processor (1) and for preventing supply of a faulty output from the processor to associated apparatus (2) has a switching circuit (31) with two monostables (32 and 33) controlling a gate (30). The processor (1) supplies two codes to inputs of comparators (35 and 55), which also receive codes from hard-wired circuits (39 and 59) nominally-identical to the codes from the processor. The processor (1) has corruption circuits (41 and 51) through which the codes are alternately supplied so that the inputs to the comparators (35 and 55) differ alternately and hence their outputs alternate. The outputs from the comparators (35 and 55) are connected to the monostables (32 and 33) via a gate (34) so that the monostables keep the gate (30) open while the processor (1) is functioning correctly. The circuit may also be used with only one comparator, one hard-wired circuit etc, and then the processor only needs to supply one code (eg. 38) to the watchdog circuit. <IMAGE>

Description

2282250 ELECTRONIC CIRCUITS AND PROCESSING SYSTEMS This invention relates
to electronic circuits and processing systems.
The invention is more particularly concerned with circuits for detecting faulty operation of a processor within a processing system.
In some applications it is important to monitor the operation of a processor to detect incorrect operation. In a duplex system, detection of faulty operation can be used to switch out the faulty processor and switch in an alternative processor. Incorrect operation of the processor can be checked by means of a watchdog circuit. This watchdog circuit is driven by the processor periodically and a failure to do so results in the processor being interrupted or reset. This can result in an indeterminate output from the processor during operation of the watchdog circuit and thereby produce a safety hazard until the processor resumes its normal operation.
It is an object of the present invention to produce an improved circuit and processing system.
According to one aspect of the present invention there is provided an electronic circuit for monitoring correct operation of a processor and for preventing supply of a faulty output from the processor to associated apparatus, the circuit including switch means connected between the output of the processor and the associated apparatus, comparator means, means for supplying a first code to one input of the comparator means, the comparator means being arranged to receive periodically and alternately at a second input a second code from the processor that is nominally identical to the first code and that is dependent on correct operation of the processor, and a reset signal different from the second code, such that the output of the comparator means alternates between two different states, and the switch means being - 1) - responsive to the output of the comparator means and arranged to enable supply of the processor output to the associated apparatus only for as long as the output of the comparator means alternates within a predetermined range of alternation rates.
The switch means may include a monostable circuit triggered by the output of the comparator means and a gate controlled by an output of the monostable circuit. The switch means may include a first monostable circuit that produces a short duration pulse when triggered, a second monostable circuit connected to receive the output of the first monostable circuit, the second monostable circuit producing a pulse of longer duration than the first monostable circuit, and the second monostable circuit being connected to the gate, such that, when the comparator means alternates at a rate that produces a continuous output from the first monostable circuit, the second monostable circuit produces only one pulse and the gate subsequently prevents passage of signals from the processor to the apparatus. The circuit preferably includes a hard- wired circuit that produces the first code. The circuit may include second comparator means and means for supplying a third code to one input of the second comparator means, the second comparator means being arranged to receive periodically and alternately at a second input a fourth code from the processor that is nominally identical to the third code and that is dependent on correct operation of the processor, and a reset signal different from the third code, such that the output of the second comparator means alternates between two different states, the circuit including a gate having inputs connected to receive the outputs of the first and second comparators, and the gate having an output connected to the switch means.
According to another aspect of the present invention there is provided a system including a processor and a circuit according to the above one aspect of the present invention.
01- According to a further aspect of the present invention there is provided a system including a processor and an electronic circuit for monitoring correct operation of the processor and for preventing supply of a faulty output from the processor to associated apparatus, the circuit including switch means connected between the output of the processor and the associated apparatus, comparator means, means for supplying a first code to one input of the comparator means, the processor being arranged to supply periodically and alternately to a second input of the comparator a second code that is nominally identical to the first code and that is dependent on correct operation of the processor, and a reset signal different from the second code, such that the output of the comparator means alternates between two different states, and the switch means being responsive to the output of the comparator means and being arranged to enable supply of the processor output to the associated apparatus only for as long as the output of the comparator means alternates within a predetermined range of alternation rates.
The processor preferably includes a corruption unit, the reset signal being derived by passing the second code through the corruption unit. The circuit may include a second comparator means, the processor being arranged to supply a third code to one input of the second comparator means, the processor being arranged periodically and alternately to supply a fourth code to a second input of the second comparator means that is nominally identical to the third code and that is dependent on correct operation of the processor, and a reset signal different from the third code, such that the output of the second comparator means alternates between two different states, and the circuit including a gate having inputs connected to receive the outputs of the first and second comparators, and the gate having an output connected to the switch means.
A processing system including a circuit, in accordance with the present invention, will now be described, by way of example, with reference to the accompanying drawing, which shows the system schematically.
The system includes a processor 1 with its output connected to associated apparatus 2 via a watchdog circuit 3. The watchdog circuit 3 monitors correct operation of the processor 1 and, when it detects faulty operation, prevents the processor output being supplied to the apparatus. The watchdog circuit 3 may also switch in an alternative processor (not shown) to control the apparatus.
The watchdog circuit 3 has a logic gate 30 within a switching circuit 3 1. The logic gate 30 has two inputs, one of which is connected to receive the output of the processor 1. The output of the gate 30 provides the input to the apparatus 2.
The switching circuit 3 1 also includes a series connection of two monostable circuits 352 and 33 that provides the other input to the logic gate 30. The first of the monostable circuits.32 is connected to the output of an AND gate 3 34, the two inputs of which are connected to respective comparators 35 and 55.
The comparator 35 has two inputs 37 and 38, both receiving respective code words. The code word on one of the inputs 3 7 is derived fl---oma circuit 3 9 independent of the processor 1 and is preferably a simple hard-wired circuit. The other input 338 is derived from the processor 1 itself, such as by an algorithm executed by the processor, illustrated by the block 40 in the drawing. The code derived by the algorithm 40 is identical to that at the other input 37 as long as the processor 1 is functioning correctly, but differs from the hard-wired code if the processor develops a fault. The result of algorithm 40 is passed alternately directly to the comparator 35 and indirectly via a corruption unit 41 that alters the code. The corruption unit 41 may, for example, be an additional step in the algorithm that produces the 4 complement of the code.
The second comparator 55 similarly has two inputs 57 and 58 receiving code words from a circuit 59 independent of the processor 1 and from the processor itself The code supplied to the second comparator 55 is different from that supplied to the first comparator 35 and may be derived from a different algorithm 50 or from a modification of the algorithm 40.
In normal, correct operation of the processor 1, the processor provides two outputs to one input 3 8 and 5 8 of the respective comparators 3 5 and 5 5. The outputs of the processor I change alternately from being identical to and different from the other inputs 37 and 57 to the comparators. Thus, the outputs of the comparators 35 and 55 both switch simultaneously between a high output and a low output as the outputs from the processor I change. These two alternating signals are supplied to the AND gate 34 so that its output goes high when both inputs are high and remains low at other times. In normal use, therefore, the output of the gate 34 is an alternating pulsed signal at the frequency at which the processor output changes. This output is supplied to the first monostable circuit 32, which has a short time constant and is triggered by a low to high transition at its input. A pulse is, therefore supplied at the output of the first monostable circuit 32 every time that the processor I produces a correct code output. The pulse is cleared if the code words from the processor I are separated by a time sufficient to allow for the time constant of the monostable 32. The output from the first monostable circuit 32 appears at the in ut of the second monostable circuit 33, which has a longer time constant, p 10 typically of several seconds. The output of the second monostable circuit 33 goes high when it receives the output pulses from the first monostable circuit 32 and remains high as long as it receives another output pulse from the first monostable circuit within the period of the time constant.
If either of the correct code words ceases to be sent by the processor 1, the output of the respective comparator 3)5 or 55 will go low and the AND gate 3)4 will close, thereby terminating supply of pulses from the first monostable circuit 32 to the second circuit 3)3. The output of the second monostable circuit 333 will, therefore, go low after its time constant has decayed. This causes the logic gate 30 to close and prevents supply of the processor output to the associated apparatus 2.
If the correct code words are produced by the processor at too fast a rate, this can also be indicative of a fault in the processor. This will also be detected by the watchdog circuit 3 if the frequency of the code words from the processor I is such that the period between the code words is less than the time constant of the first monostable circuit 32. This would result in a continuous high output from the first monostable circuit 32 and would not trig er the second 1) =9 monostable more than once because there would be only one transition from a low to a high input. The switching circuit 3 1, in effect, enables supply of the output from the processor I to the apparatus 2 for as long as the output of the comparators 35 and 55 alternate within a predetermined range of alternation rates.
The gate 30 could have an inverting output so that a high output from the processor 1 produces a low output from the watchdog circuit, when functioning correctly.
Various modifications to the system are possible. For example, the watchdog circuit could have a single comparator instead of the two described above.
7

Claims (12)

  1. Claims
    An electronic circuit for monitoring correct operation of a processor and for preventing supply of a faulty output from the processor to associated apparatus, wherein the circuit includes switch means connected between the output of the processor and the associated apparatus, comparator means, means for supplying a first code to one input of the comparator means, wherein the comparator means is arranged to receive periodically and alternately at a second input a second code from the processor that is nominally identical to the first code and that is dependent on correct operation of the processor, and a reset signal different from the second code, such that the output of the comparator means alternates between two different states, and wherein the switch means is responsive to the output of the comparator means and is arranged to enable supply of the processor output to the associated apparatus only for as long as the output of the comparator means alternates within a predetermined range of alternation rates.
  2. 2. A circuit according to Claim 1, wherein the switch means includes a monostable circuit triggered by the output of the comparator means and a gate controlled by an output of the monostable circuit.
  3. 3. A circuit according to Claim 2, wherein the switch means includes a first monostable circuit that produces a short duration pulse when triggered, a second monostable circuit connected to receive the output of the first monostable circuit, the second monostable circuit producing a pulse of longer duration than the first monostable circuit, and wherein the second monostable circuit is connected to the gate, such that, when the comparator means alternates at a rate that produces a continuous output from the first monostable circuit, the second monostable circuit produces only one pulse and the gate subsequently prevents passage of signals from the processor to the apparatus.
  4. 4.
    8 A circuit according to any one of the preceding claims including a hardwired circuit, and wherein the hard-wired circuit produces the first code.
  5. A circuit according to any one of the preceding claims, wherein the circuit includes second comparator means and means for supplying a third code to one input of the second comparator means, wherein the second comparator means is arranged to receive periodically and alternately at a second input a fourth code from the processor that is nominally identical to the third code and that is dependent on correct operation of the processor, and a reset signal different from the third code, such that the output of the second comparator means alternates between two different states, wherein the circuit includes a gate having inputs connected to receive the outputs of the first and second comparators, and wherein the gate has an output connected to the switch means.
  6. 6. A circuit substantially as hereinbefore described with reference to the accompanying drawing.
  7. A system including a processor and a circuit according to any one of the preceding claims.
  8. 8. A system including a processor and an electronic circuit for monitoring correct operation of the processor and for preventing supply of a faulty output from the processor to associated apparatus, wherein the circuit includes switch means connected between the output of the processor and the associated apparatus, comparator means, means for supplying a first code to one input of the comparator means, wherein the processor is arranged to supply periodically and alternately to a second input of the comparator a second code that is nominally identical to the first code and that is dependent on correct operation of the processor, and a reset signal different from the second code, such that the output of the comparator means alternates between two 0 9 different states, and wherein the switch means is responsive to the output of the comparator means and is arranged to enable supply of the processor output to the associated apparatus only for as long as the output of the comparator means alternates within a predetermined range of alternation rates.
  9. 9. A system according to Claim 8, wherein the processor includes a corruption unit, and wherein the reset signal is derived by passing the second code through the corruption unit.
  10. 10. A system according to Claim 8 or 9, wherein the circuit includes second comparator means, wherein the processor is arranged to supply a third code to one input of the second comparator means, wherein the processor is arranged periodically and alternately to supply a fourth code to a second input of the second comparator means that is nominally identical to the third code and that is dependent on correct operation of the processor, and a reset signal different from the third code, such that the output of the second comparator means alternates between two different states, and wherein the circuit includes a gate having inputs connected to receive the outputs of the first and second comparators, and wherein the gate has an output connected to the switch means.
  11. 11. A system substantially as hereinbefore described with reference to the accompanying drawing.
  12. 12. Any novel feature or combination of features as hereinbefore described.
GB9415766A 1993-09-28 1994-08-04 Processor watchdog circuit. Withdrawn GB2282250A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB9319974A GB9319974D0 (en) 1993-09-28 1993-09-28 Electronic circuits and processing systems

Publications (2)

Publication Number Publication Date
GB9415766D0 GB9415766D0 (en) 1994-09-28
GB2282250A true GB2282250A (en) 1995-03-29

Family

ID=10742639

Family Applications (2)

Application Number Title Priority Date Filing Date
GB9319974A Pending GB9319974D0 (en) 1993-09-28 1993-09-28 Electronic circuits and processing systems
GB9415766A Withdrawn GB2282250A (en) 1993-09-28 1994-08-04 Processor watchdog circuit.

Family Applications Before (1)

Application Number Title Priority Date Filing Date
GB9319974A Pending GB9319974D0 (en) 1993-09-28 1993-09-28 Electronic circuits and processing systems

Country Status (3)

Country Link
DE (1) DE4430177A1 (en)
FR (1) FR2710765A1 (en)
GB (2) GB9319974D0 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0744693A1 (en) * 1995-05-09 1996-11-27 Hitachi, Ltd. Method and system for fail-safe error checking by providing plural series of check orders
US20120065823A1 (en) * 2010-09-13 2012-03-15 Denso Corporation Electronic control unit for vehicles

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE19780852D2 (en) 1996-08-12 1999-11-11 Papst Motoren Gmbh & Co Kg Method and arrangement for monitoring a microprocessor
DE19847986C2 (en) * 1998-10-17 2000-10-26 Daimler Chrysler Ag Single processor system
DE10211571B4 (en) 2002-03-15 2006-03-02 Infineon Technologies Ag Device and method for monitoring a state of an electronic component, in particular a fuse

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE3732973A1 (en) * 1987-09-30 1989-04-20 Vdo Schindling Circuit arrangement for fault monitoring of two calculation results of a microprocessor
US4956807A (en) * 1982-12-21 1990-09-11 Nissan Motor Company, Limited Watchdog timer

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4398233A (en) * 1982-03-03 1983-08-09 Electronics Corporation Of America Fail-safe device for electronic control circuit
DE3240704A1 (en) * 1982-11-04 1984-05-10 Robert Bosch Gmbh, 7000 Stuttgart Circuit arrangement for monitoring electronic computer chips
GB2197508A (en) * 1986-11-03 1988-05-18 Philips Electronic Associated Data processing system with watchdog

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4956807A (en) * 1982-12-21 1990-09-11 Nissan Motor Company, Limited Watchdog timer
DE3732973A1 (en) * 1987-09-30 1989-04-20 Vdo Schindling Circuit arrangement for fault monitoring of two calculation results of a microprocessor

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
WPI Abstract accession No. 89-123098/17 & DE-A-3732973 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0744693A1 (en) * 1995-05-09 1996-11-27 Hitachi, Ltd. Method and system for fail-safe error checking by providing plural series of check orders
US20120065823A1 (en) * 2010-09-13 2012-03-15 Denso Corporation Electronic control unit for vehicles

Also Published As

Publication number Publication date
FR2710765A1 (en) 1995-04-07
GB9319974D0 (en) 1993-11-17
DE4430177A1 (en) 1995-03-30
GB9415766D0 (en) 1994-09-28

Similar Documents

Publication Publication Date Title
US4635258A (en) System for detecting a program execution fault
KR970033926A (en) Elevator operation analysis method and apparatus
KR970066767A (en) Fault Monitoring System of Microcomputer System
SK95895A3 (en) Control and regulating of doors driven by an electromechanical motor
GB2282250A (en) Processor watchdog circuit.
EP0127072B1 (en) Control system with a microprocessor
US4554507A (en) Arrangement for testing the operability of a semiconductive device
US4880994A (en) Method and device for the redundant control of a power controlled unit
EP0460643B1 (en) Emergency circuit for, e.g., numerical control unit
DE69223020D1 (en) Fault detection in a redundant duplex system
US3968489A (en) Apparatus for monitoring the operation of heater controllers
JPS61276497A (en) Method for recognizing deadlock
JP2023531400A (en) Device and method for control of safety devices
RU2099778C1 (en) Device for object control
GB2237461A (en) Monitoring faults in electric circuit arrangements
KR100277457B1 (en) Interlocking system control device and method of railway
GB2159988A (en) Safety device
SU1537856A1 (en) Vibration of limiter for gas-turbine engine
SU666518A1 (en) Control system monitoring device
SU545996A1 (en) Display device
KR970000967Y1 (en) Double circuit for signal output in a oscillation sensor
CS258345B1 (en) Connection for materials&#39; position determination in continuous technological processes
JPH04367944A (en) Method and device for detecting fault
JP2005346375A (en) Plant facility control system and method for controlling plant facility
JPH0337738A (en) Runaway detection system for cpu circuit

Legal Events

Date Code Title Description
WAP Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1)