GB2379527A - Fault intolerant processor arrangement - Google Patents

Fault intolerant processor arrangement Download PDF

Info

Publication number
GB2379527A
GB2379527A GB0121862A GB0121862A GB2379527A GB 2379527 A GB2379527 A GB 2379527A GB 0121862 A GB0121862 A GB 0121862A GB 0121862 A GB0121862 A GB 0121862A GB 2379527 A GB2379527 A GB 2379527A
Authority
GB
United Kingdom
Prior art keywords
processor
counter
count
program
arrangement according
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB0121862A
Other versions
GB0121862D0 (en
GB2379527B (en
Inventor
Nicholas Swift
Richard Grant Oliver
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Marconi Communications Ltd
BAE Systems Electronics Ltd
Original Assignee
Marconi Communications Ltd
Marconi Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Marconi Communications Ltd, Marconi Co Ltd filed Critical Marconi Communications Ltd
Priority to GB0121862A priority Critical patent/GB2379527B/en
Publication of GB0121862D0 publication Critical patent/GB0121862D0/en
Publication of GB2379527A publication Critical patent/GB2379527A/en
Application granted granted Critical
Publication of GB2379527B publication Critical patent/GB2379527B/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0751Error or fault detection not based on redundancy
    • G06F11/0754Error or fault detection not based on redundancy by exceeding limits
    • G06F11/0757Error or fault detection not based on redundancy by exceeding limits by exceeding a time limit, i.e. time-out, e.g. watchdogs

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

A processor arrangement (2) comprises: a processor (4) for processing data in accordance with a program selected from a number programs and a processor supervisor (6) for ensuring fault free operation of the processor. Each program is of type that has been coded such that it takes a known fixed number of clock cycles to execute. The processor (4) includes watchdog means for generating a signal (Watch) indicative of when it completes the selected program. The processor supervisor (6) comprises a counter (22) and control means (20) for setting the counter to a preset count in dependence upon the program selected, the preset count being related to the number of clock cycles to execute the selected program. The control means is operable to detect if the counter reaches a known end count (Count END) and the watchdog means generates its signal (Watch) at substantially the same time indicative of fault free operation of the processor. In the event that they do not occur at the same time the control means is operable to stop further operation of the processor.

Description

<Desc/Clms Page number 1>
FAULT INTOLERANT PROCESSOR ARRANGEMENT This invention relates to a processor arrangement and more especially a fault intolerant processor arrangement.
In certain applications, such as for example safety monitoring, safety critical operations or encryption of commercially sensitive data in a communications system, it is desirable to stop further operation of the processor upon detection of a fault arising in the software or hardware. Such processors are termed fault intolerant and are to be contrasted with the more common"fault tolerant"processors which are reset upon detection of a fault thereby minimising its effect.
An example of a fault intolerant processor arrangement comprises two identical processors which-are operable to simultaneously execute the same software and the processed results of the two processors compared. Any difference between the results is taken as indicating that a fault has arisen and further operation of the processors is stopped. A disadvantage of such an arrangement is that the duplication of the processors adds to the complexity and hence cost of the arrangement. Furthermore such an arrangement is unable to detect faults arising in the coding of software.
The present invention has arisen in an endeavour to provide a fault intolerant processor arrangement which, in part, at least, overcomes the limitations of the known arrangements.
<Desc/Clms Page number 2>
According to the present invention a processor arrangement comprises: a processor for processing data in accordance with a program selected from a number programs, each program being of type that takes a known fixed number of clock cycles to execute, the processor including watchdog means for generating a signal indicative of when it completes the selected program ; and is characterised by a processor supervisor comprising a counter and control means for setting the counter to a preset count in dependence upon the program selected, the preset count being related to the number of clock cycles to execute the selected program, the control means being further operable for detecting if the counter reaches a known end count and the watchdog means generates its signal at substantially the same time indicative of fault free operation and being operable to stop operation of the processor if they do not occur at substantially the same time.
Advantageously the processor supervisor is operable to generate the clock for operating the processor and in the event of a fault being detected stops operation of the processor by stopping the processor clock. With such an arrangement the processor is advantageously a static device, that is there is a direct relationship between an external clock applied to the processor and any clock generated internally within the processor and consequently the processor stops immediately in the absence of the external clock.
Advantageously the processor arrangement further comprises switching means for selectively enabling data to be output from the processor during fault free operation and for blocking data output when a fault is detected. Such switching means prevent data
<Desc/Clms Page number 3>
being output upon detection of a fault even if the processor were to continue to operate in the absence of an external clock.
In a preferred implementation the counter is a down counter. With such an arrangement the preset count is conveniently equal to the number of clock cycles to execute the selected program and the pre-selected end count is accordingly always zero.
Alternatively the counter is an up counter.
Preferably the control means includes a logic gate arrangement which is operable to produce a signal that changes state when the counter reaches the known end count. Advantageously the control means further comprises an exclusive OR gate for detecting if the watchdog and end count signals do not change state at substantially the same time.
Preferably the processor supervisor is implemented as a field programmable gate array or complex programmable logic device.
In order that the invention can be better understood a processor arrangement in accordance with the invention will now be described by way of example only with reference to the accompanying drawings in which: Figure I is a schematic representation of a processor arrangement in accordance with the invention;
<Desc/Clms Page number 4>
Figure 2 is a schematic representation of a part of the processor arrangement of Figure 1 ; Figure 3 are timing diagrams for the processor arrangement of Figures 1 and 2 for fault free operation; Figure 4 are timing diagrams for the processor arrangement of Figures 1 and 2 when a first fault occurs; and Figure 5 are timing diagrams for the processor arrangement of Figures 1 and 2 when a second fault occurs.
Referring to Figure 1 there is shown a processor arrangement 2 in accordance with the invention which comprises a microprocessor (ILP) 4 and processor supervisor 6. The processor supervisor 6 is for supervising correct, fault free, operation of the processor 4 and upon detecting a fault is operable to stop operation of the processor 4 and generate an alarm signal.
The processor arrangement 2 is intended to be used as part of a communication system, for example a mobile telephone, to encrypt commercially sensitive data, such as credit card details, prior to transmission using one of a number of pre-programmed tasks (Task Prog). In such an application it is desirable that fault free operation of the arrangement can be guaranteed to prevent un-encrypted data being transmitted and intercepted by an unauthorised user.
<Desc/Clms Page number 5>
In the embodiment described the microprocessor 4 comprises a low power 32 Bit ARM processor having integral RAM 8, 10 for program and data storage respectively. The program memory 8 is divided into storage of task programs (Task Prog), i. e. pre- programmed tasks that the processor is to required to carry out such as for example encryption of data, and a finite state machine kernel (FSMK) which contains the code needed for controlling operation of the CPU. The task program is selected in dependence upon a Task Selection (Task Sel) signal. The processor 4 also includes a number, four in the embodiment illustrated, general purpose input output registers (GPIO Reg) 12,14, 16,18. The first GPIO Reg 12 is used to load data (Data i/p) into the data memory 10 for processing, the second 14 is used to output processed data (Data o/p), the third 16 is used to input the task selection and the fourth 18 is used to output a watchdog signal (Watch) indicative of when the processor has completed the selected task program.
It is to be noted that the processor 4 is, preferably though not necessarily, of a type herein termed"static". That is there is a direct relationship between an external clock (Proe CK) applied to the processor and any clock generated internally within the processor. As a result operation of a static processor stops immediately in the absence of the external clock, Proc CK Static Processors are to be contrasted with certain other processors, which also use an external clock, but which lock their internal clock onto the external reference and will continue to operate even in the absence of an external clock.
Since the processor 4 is of known configuration and its operation well documented its operation is not described in detail. Suffice it to say each task is made up of at least two
<Desc/Clms Page number 6>
phases. In the first phase, termed data processing phase, the task selection is made, data to be processed is loaded into the RAM 10 and processing is then performed in accordance with the selected task program. In the second phase, termed data output phase, the processed data is output from the microprocessor.
The processor supervisor 6, the subject of the present invention, comprises a finite state machine (FSM) 20, a counter 22, logic circuitry 24 and a processor clock generator 26.
For ease of fabrication the processor supervisor 6 is implemented as a field programmable gate array (FPGA)/complex programmable logic device (CPLD).
The FSM 20 includes memory 20a, 20b for storing the current task selection (Task Sel) and task execution times (code profiles) for executing the selected task. In common with the task programs of the processor the FSM 20 is programmed with the same set of rules for each selected task. The FSM 20 is operable to generate clock enable (CK EN), output enable (o/p EN), preset count, and count enable (Count EN) signals. The preset count signal is applied to a load input of the counter 22 for setting the counter to a selected starting count. The count enable signal (Count EN) is applied to an enable input of the counter 22 to enable/disable operation of the counter in dependence upon a clock source (CK) 28. The processor clock generator (26) conveniently comprises an AND gate whose inputs are connected to the source clock (CK) and clock enable signal (CK EN). The outputs Qo-Qx of the counter are connected to the logic circuitry 24 which is operable to produce a signal, Count END, which changes state when the counter reaches a pre-selected end count. The count end signal is applied to the FSM 20.
<Desc/Clms Page number 7>
The logic circuitry is also operable to produce the alarm signal in dependence upon the states of the Watch and Count END signals.
The processor arrangement 2 further comprises a switch 30 connected to the GPIO Reg 14 which is operable to selectively enable/disable output data from the processor arrangement in dependence upon an output enable signal (o/p EN) which is generated by the FSM 20.
Referring to Figure 2 the processor supervisor is shown in greater detail. In this embodiment the counter 22 is a sixteen bit down counter. The logic circuitry 24 comprises a sixteen input NOR gate 32 whose inputs are connected to a respective output of the counter. It will be appreciated that the output of the NOR gate 32 will have a"LOW"logic state for all counts other than zero and will change to a"HIGH"logic state when the counter 22 reaches a count of zero. The signal, Count END, output at the NOR gate is indicative of when the counter reaches a pre-determined count. This signal is respectively applied to the FSM 20 and to one input of an Exclusive OR (EX OR) gate 34. The Watchdog signal, Watch, from the microprocessor 4 is applied to a second input of the EX OR gate 34. The output of the gate 34 is connected to an input, D, of a latch 36 which is clocked by the source clock, CK, 28. The output, Q, of the latch 36 is used to derive the alarm signal which is applied to the FSM 20. The Alarm signal will change state if the Count END and Watch signals have different logic states when CK changes state (logic"low"to"high"in the example described).
<Desc/Clms Page number 8>
The operation of the processor arrangement during fault free operation of a task x will now be described with reference to the timing diagrams of Figure 3. The first diagram represents the source clock CK.
At time to the task selected, Task Sel, is applied to both the microprocessor 4 and the FSM 20 of the processor supervisor 6. It is to be noted that the task programs are coded such that for each task the execution of each phase is completed in a known, fixed, number of clock cycles. For task x the data processing phase is always completed in"n" clock cycles and the data output phase in"m"clock cycles. These constant values n, m are referred to hereafter as code profiles, or code profile constants and are stored in the ROM 20b of the FSM 20 of the processor supervisor. The current Task Sel is used as a look-up address for the ROM 20b to determine the corresponding code profile constants "n"and"m". At time to the FSM fetches the appropriate code profile (preset Count"n") for the data processing phase for task x and loads this value into the down counter 22.
At time tl the FSM 20 sets the count enable (Count EN) signal high to activate the counter 22 to count down. At time t2, after n clock cycles, the counter reaches a count of zero at which time Count END changes to a"high"state. Count EN set low to stop further operation of the counter. For fault free operation; the data processing phase has also finished and the processor accordingly changes the state of the watchdog, Watch, to a"high"state. Since both Count END and Watch continue to have the same logic state, the state of the latch 36, Alarm, remains unchanged. The data processing phase of the current task x is now complete.
<Desc/Clms Page number 9>
At time t3 the FSM loads the appropriate code profile (preset Count"m") for the data output phase for task x into the down counter 22. At time 14 the FSM 20 sets Count EN and o/p EN signals high to set the counter to count down and to enable the output of data from the processor. At time ts, after m clock cycles, the counter once again reaches a count of zero at which time Count END correspondingly changes to a"high"state.
For fault free operation, the data output phase will also have finished and the processor accordingly changes the state of the watchdog signal Watch to a"high"state. Since both Count END and Watch have the same logic state, the state of the latch 36, Alarm, remains unchanged. The data output phase of the task x is now complete. At a time t6 a next task y is now selected and operation of the processor arrangement continues to operate in a like manner.
Referring to Figure 4 there is shown a further set of timing diagrams for the processor arrangement when a first fault condition in the processor arises, that is the counter reaches a count of zero before the processor has completed the data processing phase of the selected task. For comparative purposes a part of some of the timing diagrams for fault free operation are illustrated as broken lines. At time t7 the counter reaches a count of zero and Count END accordingly changes to a"high"state. At this time the processor has not completed data processing so that Watch remains"low". Since the logic states of Count END and Watch are now different this causes the Latch 36 to Latch state and its output, Alarm, is set"high"indicating a fault has arisen. Once an Alarm signal is detected the FSM 20 stops further operation of the processor by setting CK EN to a"low"state.
<Desc/Clms Page number 10>
Referring to Figure 5 there is shown a further set of timing diagrams for the processor arrangement when the converse fault condition in the processor arises, that is the processor has finished data processing (at time tg) before the counter reaches a count of zero.
It will be appreciated that the processor supervisor of the present invention will in a like manner also detect a fault arising in the data output phase. In such a phase the FSM is additionally operable to set o/p EN low when an alarm condition arises to eliminate any likelihood of incorrectly processed data being output from the arrangement.
In the foregoing description the FSM 20 controls operation of the processor 4 in a twophase sequence; a data processing phase followed by a data output phase. In each of these phases the FSM uses the current task selection, Task Sel, as a look up address for the ROM 20b to determine the appropriate code profile (pre-selected count) for setting the counter 22 and then comparing when the counter reaches a count of zero (Count END) and the Watch signal changes logic state. In other embodiments of the invention it is envisaged that the FSM provides further control of the processor such as for example enforcing rules about task ordering e. g. ensuring a certain task is only performed if certain other tasks have already been performed.
The arrangement described thus far will detect an error in the execution of the task if the watchdog signal transition occurs in an earlier clock cycle, or if the transition does not occur at all within the current phase. In addition to testing for correct execution of each task it is preferred that the processor supervisor additionally validates the integrity of
<Desc/Clms Page number 11>
integral control and data paths within the processor 2. In Figure 1 the program part of the control path and data path are represented as separate data buses 38,40 respectively.
More typically the processor will have a Von-Neumann architecture, i. e. the same bus structure is shared for both program 8 and data 10 memory access. Testing of the control paths is achieved by a section of code which only completes to its designated end point at a designated time if it has followed the correct conditional branches.
A processor having a validated control path can reasonably test the integrity of its data path. The self tests preferably compare computed results with predetermined constants stored in the data memory 10. This is further complemented by Cyclic Redundancy Checking of program memory 8 and of constant data memory areas 10, which provides confidence that these areas can be correctly accessed and have not become corrupted.
The processor would typically perform all such tests at the beginning of the first phase of a given task. The test routines would be coded to produce an early watchdog transition, triggering an immediate alarm, on failure of any test.
A particular benefit of the processor arrangement of the present invention is that it is able to validate the integrity of its control/data paths without requiring direct access to them. A further advantage of the invention is relative simplicity enabling it to be readily implemented using simple logic gates.
It will be appreciated that the present invention is not limited to the specific embodiment described and that modifications can be made which are within the scope of the invention. For example whilst it is desirable to use a static microprocessor other
<Desc/Clms Page number 12>
processors can be used and their operation disabled upon an alarm signal being generated.
For ease of fabrication it is preferred to use a down counter which is loaded with a preset count, code profile constant, and then allowed to count down to zero as the decode logic then comprises a simple NOR function. Other counter arrangements can be used with appropriate modification to the logic. For example the counter could be set to a preset count and allowed to count up to a pre-determined state or count down to a predetermined value or values other than zero. In such arrangements the code profile constant, corresponds to a difference value rather than the absolute number of clock cycles for the selected task.

Claims (11)

1. A processor arrangement (2) comprising: a processor (4) for processing data in accordance with a program selected from a number programs, each program being of type that takes a known fixed number of clock cycles to execute, the processor (4) including watchdog means for generating a signal (Watch) indicative of when it completes the selected program; characterised by processor supervisor means (6) comprising a counter (22), control means (20) for setting the counter to a preset count in dependence upon the program selected, the preset count being related to the number of clock cycles to execute the selected program, the control means being further operable for detecting if the counter reaches a known end count and the watchdog means generates its signal at substantially the same time indicative of fault free operation and being operable to stop operation of the processor if they do not occur at substantially the same time.
2. A processor arrangement according to Claim 1 in which the processor supervisor generates the clock for operating the processor and in the event of a fault being detected stops operation of the processor by stopping the processor clock.
3. A processor arrangement according to Claim 2 in which the processor is a static device as hereinbefore defined.
4. A processor arrangement according to any preceding claim and further comprising switching means for selectively enabling data to be output from the processor during fault free operation and for blocking data to be output when a fault is detected.
<Desc/Clms Page number 14>
5. A processor arrangement according to any preceding claim in which the counter is a down counter.
6. A processor arrangement according to Claim 5 in which the preset count is equal to the number of clock cycles to execute the selected program and the pre-selected end count is zero.
7. A processor arrangement according to any one of Claims 1 to 4 in which the counter is an up counter.
8. A processor arrangement according to any preceding claim in which the control means includes a logic gate arrangement which is operable to produce a signal that changes state when the counter reaches the known end count.
9. A processor arrangement according to Claim 8 in which the control means further comprises an exclusive OR gate for detecting if the watchdog and end count signals do not change state at substantially the same time.
10. A processor arrangement according to any preceding claim in which the processor supervisor means is implemented as a field programmable gate array or complex programmable logic device.
11. A processor arrangement substantially as hereinbefore described with reference to and substantially as illustrated in the accompanying drawings.
GB0121862A 2001-09-11 2001-09-11 Fault intolerant processor arrangement Expired - Fee Related GB2379527B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB0121862A GB2379527B (en) 2001-09-11 2001-09-11 Fault intolerant processor arrangement

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB0121862A GB2379527B (en) 2001-09-11 2001-09-11 Fault intolerant processor arrangement

Publications (3)

Publication Number Publication Date
GB0121862D0 GB0121862D0 (en) 2001-10-31
GB2379527A true GB2379527A (en) 2003-03-12
GB2379527B GB2379527B (en) 2003-11-26

Family

ID=9921825

Family Applications (1)

Application Number Title Priority Date Filing Date
GB0121862A Expired - Fee Related GB2379527B (en) 2001-09-11 2001-09-11 Fault intolerant processor arrangement

Country Status (1)

Country Link
GB (1) GB2379527B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7958396B2 (en) 2006-05-19 2011-06-07 Microsoft Corporation Watchdog processors in multicore systems
WO2017212152A1 (en) * 2016-06-08 2017-12-14 Continental Automotive France Circuit for detecting systematic and random faults

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4926427A (en) * 1986-09-30 1990-05-15 Siemens Aktiengesellschaft Software error detection apparatus
US4956807A (en) * 1982-12-21 1990-09-11 Nissan Motor Company, Limited Watchdog timer

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4956807A (en) * 1982-12-21 1990-09-11 Nissan Motor Company, Limited Watchdog timer
US4926427A (en) * 1986-09-30 1990-05-15 Siemens Aktiengesellschaft Software error detection apparatus

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7958396B2 (en) 2006-05-19 2011-06-07 Microsoft Corporation Watchdog processors in multicore systems
WO2017212152A1 (en) * 2016-06-08 2017-12-14 Continental Automotive France Circuit for detecting systematic and random faults
FR3052575A1 (en) * 2016-06-08 2017-12-15 Continental Automotive France CIRCUIT FOR DETECTION OF SYSTEMATIC AND RANDOM FAILURES
US20190138406A1 (en) * 2016-06-08 2019-05-09 Continental Automotive France Circuit for detecting systematic and random faults
US11256580B2 (en) * 2016-06-08 2022-02-22 Continental Automotive France Circuit for detecting systematic and random faults

Also Published As

Publication number Publication date
GB0121862D0 (en) 2001-10-31
GB2379527B (en) 2003-11-26

Similar Documents

Publication Publication Date Title
GB1097449A (en) A digital electronic computer system
US4573117A (en) Method and apparatus in a data processor for selectively disabling a power-down instruction
EP3022653B1 (en) Fault detection apparatus and method
US10223117B2 (en) Execution flow protection in microcontrollers
KR100206887B1 (en) Cpu for debugging program
US9728274B2 (en) Error control using threshold based comparison of error signatures
EP0772827B1 (en) Pipeline microprocessor test apparatus
US9400708B2 (en) Integrated circuit and method of detecting a data integrity error
EP3329377A1 (en) Zero overhead code coverage analysis
GB2379527A (en) Fault intolerant processor arrangement
US5440604A (en) Counter malfunction detection using prior, current and predicted parity
US4802089A (en) Status flag handling in a digital data processing system
KR102603835B1 (en) Method and apparatus for protecting the program counter structure of a processor system and monitoring processing of interrupt requests
US5388253A (en) Processing system having device for testing the correct execution of instructions
KR940011040B1 (en) Microcomputer
US11294787B2 (en) Apparatus and method for controlling assertion of a trigger signal to processing circuitry
US20230214490A1 (en) Countermeasure against fault injection attacks
US11816486B2 (en) Efficient inter-thread communication between hardware processing threads of a hardware multithreaded processor by selective aliasing of register blocks
US11169892B1 (en) Detecting and reporting random reset faults for functional safety and other high reliability applications
US20240069917A1 (en) Method for executing a machine code by means of a computer
KR0145893B1 (en) The apparatus of preventing overflow
KR100318315B1 (en) One Chip Microcomputer
Karim et al. Optimized solutions for safe motion control applications
JP4044455B2 (en) Debug support device
JPH0436841A (en) Microcomputer

Legal Events

Date Code Title Description
PCNP Patent ceased through non-payment of renewal fee

Effective date: 20100911