WO2015017590A1 - Power supply diagnostic strategy - Google Patents

Power supply diagnostic strategy Download PDF

Info

Publication number
WO2015017590A1
WO2015017590A1 PCT/US2014/048986 US2014048986W WO2015017590A1 WO 2015017590 A1 WO2015017590 A1 WO 2015017590A1 US 2014048986 W US2014048986 W US 2014048986W WO 2015017590 A1 WO2015017590 A1 WO 2015017590A1
Authority
WO
WIPO (PCT)
Prior art keywords
value
diagnostic
distinct
control
operating
Prior art date
Application number
PCT/US2014/048986
Other languages
English (en)
French (fr)
Inventor
Kerfegar K. KATRAK
Original Assignee
Trw Automotive U.S.Llc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Trw Automotive U.S.Llc filed Critical Trw Automotive U.S.Llc
Priority to CN201480042821.XA priority Critical patent/CN105452985B/zh
Priority to DE112014003506.8T priority patent/DE112014003506T5/de
Publication of WO2015017590A1 publication Critical patent/WO2015017590A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F1/00Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
    • G06F1/26Power supply means, e.g. regulation thereof
    • G06F1/28Supervision thereof, e.g. detecting power-supply failure by out of limits supervision

Definitions

  • This invention relates in general to a method of analyzing and monitoring discrete power supply diagnostic states, and particularly to analyzing computer microprocessor system voltages.
  • Linked memory random hardware failures can occur along the edges or lattices in planar memory.
  • planar memory structures it is possible to have 1, 2, 4, 6, 8, 12, and 16 common lattices.
  • 4 lattices or edges occur when either 2 strips of planar memory set up back to back along with 2 other parallel strips of planar memory.
  • the planar memory structure lattices were typically used by CISC
  • the approach in this invention for monitoring discrete power supply diagnostic states is independent of the underlying memory structure.
  • the values used are selected to ensure that random hardware linked errors will be detected. This applies to either planar memory structures with 1, 2, 4, 6, 8, 12, and 16 common lattices, or physical memory structures with individual bit dispersed memories with 1, 2, 4, 6, 8, 12, and 16 consecutive bit splices.
  • a method for diagnosing the status of an operating voltage comprising the steps of: (a) using a processor to read an operating voltage and to determine one of the following states: (1) “no” over voltage (OV), “no” under voltage (UV); (2) “no” OV, “yes” UV; (3) “yes” OV, “no” UV or (4) “yes” OV, “yes” UV; (b) assigning a distinct byte value for each of the states identified in step (a), wherein the distinct values are selected having a hamming distance of at least 4 between functional and failure mode values; and (c) storing an operating status value corresponding to the determined operating state in a designated memory location of the processor.
  • Each distinct byte value of step (b) may include an upper significant nibble (USNb) and a lower significant (LSNb), and wherein all of the USNbs are distinct and are selected having a hamming distance of at least 2, and all the LSNbs are distinct and are selected having a hamming distance of at least 2.
  • each of the USNbs and LSNbs are chosen from an unbalanced set of nibble values, and are chosen for each distinct value such that they are not complements of one another.
  • the distinct byte value may be checked for a match with one of a group of defined values and, if there is a match, the distinct byte value is stored as the operating status value and, if there is no match, a separate "no match" value is stored.
  • the distinct byte value of step (b) is a lower byte of a word and further includes the step of assigning an upper byte value to the word, the upper byte value including a USNb and a LSNb, and wherein one of the USNb and LSNb is a monitored voltage identifier and the other one is a control/diagnostic path identifier.
  • each of the USNbs and LSNbs are chosen from a balanced set of nibble values. The use of the upper byte ensures each monitored voltage table remains distinct even with compiler optimization activated.
  • a method for diagnosing the status of an operating voltage comprising:
  • step (b) assigning a distinct control byte value for each of the control states identified in step (a);
  • step (d) using the processor of step (a) to read the operating voltage and to determine one of the following diagnostic states: (1) “no” OV, “no” UV; (2) “no” OV, “yes” UV; (3) “yes” OV, “no” UV or (4) "yes” OV, "yes” UV;
  • step (e) assigning a distinct diagnostic byte value for each of the states identified in step (d);
  • step (g) comparing the operating control status value with the operating diagnostic status value to determine whether the control voltage state read in step (a) agrees with the diagnostic voltage state read in step (d).
  • each distinct control byte value of step (b) includes a USNb and a LSNb, and all of the USNbs and LSNbs are distinct.
  • each distinct diagnostic byte value of step (f) includes a USNb and a LSNb, and all of the USNbs and LSNbs are also distinct.
  • the USNb and LSNb of the diagnostic byte value are mirrored with respect to the USNb and LSNb of the corresponding control byte value.
  • both the USNb and LSNb of the diagnostic byte value are compared to the mirrored USNb and LSNb of the corresponding control byte value.
  • SECDED Single bit Error Correction and Double bit Error Detection
  • the distinct control byte value is checked for a match with one of a group of defined control values and, if there is a match, the distinct control byte value is stored as the operating control status value and, if there is no match, a separate "no match” control value is stored.
  • the distinct diagnostic byte value is checked for a match with one of a group of defined diagnostic values and, if there is a match, the distinct diagnostic byte value is stored as the operating diagnostic status value and, if there is no match, a separate "no match” diagnostic value is stored.
  • a method of analyzing a power supply system wherein a source input voltage is supplied to a first processor and an output voltage is generated by the first processor comprising the steps of: (a) using the first processor to determine a source operating status of the source input voltage; (b) using a second processor to determine an output operating status of the output voltage from the first processor; (c) sending the source operating status to the second processor; and (d) using the processor to analyze the source and output statuses to determine a system diagnosis as a function of both the source and output statuses.
  • the source operating status is sent to the second processor with no checksum or cyclic redundancy check (CRC).
  • FIG. 1 is a block diagram showing one example of an operating system
  • FIG. 2 is a block diagram of a portion of the power supply monitoring system of FIG. 1 ;
  • FIG. 3 is a representative table showing a method of segregating a group of binary nibble values into a balanced Set 1 and an unbalanced Set 2 of values for use in forming a lower byte;
  • FIG. 4 is a table showing the various nibble values which are available for forming either the control word or the diagnostic word;
  • FIG. 5 is a table showing various embodiments of the lower byte word values that can be selected to identify the four monitored voltage states
  • FIG. 6 is an embodiment of a method, similar to FIG. 5, that includes columns showing selection of the upper significant nibble and lower significant nibble to form the lower byte values;
  • FIG. 7 is yet another embodiment of a method, similar to FIG. 6, that includes columns showing storage of a control stored value, the method including a decision dependent on the control status value matches or deviating from a defined value;
  • FIG. 8 is an embodiment of a method, similar to FIG. 7, further adding a diagnostic path table
  • FIG. 9 is an embodiment of a method, similar to FIG. 7, further adding a second monitored voltage (Vb) table to the first monitored voltage (Va) table of FIG. 7;
  • FIGS. 10a and 10b illustrate a combination of the control and diagnostic tables for both monitored voltages Va and Vb;
  • FIG. 11 is a flowchart of an algorithm of a method configured to prevent systematic errors when storing power supply states in memory location;
  • FIG. 12 is a flowchart of an embodiment of a method including a diagnostic approach to determine where a power supply error occurs and whether or not that error is systematic;
  • FIGS. 13a and 13b illustrate a combination of the control and diagnostic tables, similar to FIGS. 10a and 10b, showing the control and diagnostic stored values used when the associated microprocessor includes Single bit Error Correction and Double bit Error Detection (SECDEC).
  • SECDEC Single bit Error Correction and Double bit Error Detection
  • This invention concerns various embodiments directed to the efficient distribution and failsafe monitoring of power in a microcontroller system. While the various embodiments are particularly suitable for use in vehicular applications (including both automotive and truck), it will be readily appreciated that the invention and its various embodiments can be used, either singly or collectively, in other control applications having similar operating requirements.
  • the inventions are used in a Multiple ASIL Optimized Power Supply Architecture for an electronic control module used for supervisory input processing (radar, camera, etc.) and output commands (engine torque, transmission torque, steering angle or torque, brake commands or torque, suspension commands, etc.) for driver assistance systems.
  • the various inventions provide an integrated method or apparatus for an electronic module safety architecture which includes diversity, time and space independence for power supplies for the varied ASIL microprocessors and vehicle communication buses.
  • Fig. 1 a block diagram showing one example of an operating environment for a power supply architecture embodying the principles of the invention, wherein the invention is utilized as a power supply in a vehicle control system.
  • the functional aspects of the Multiple ASIL Optimized Power Supply Architecture of the electronic module may be characterized as follows:
  • a. includes two high integrity ASIL D compatible microprocessors (1A and IB) for supervisory input processing and output commands for driver assistance systems.
  • b. receives the input processing and output command information from two or more pairs of automotive communication buses (CAN, Flexray, etc.).
  • each communication bus transfers high integrity information.
  • Each external bus type has a complementary role if one of them is severed. As shown in Figs. 1 and 2, each communication bus receives power from a separate and independent power supply.
  • c. includes one other high throughput processing microprocessor
  • microprocessor 2A with external memory.
  • the microprocessor 2A may have a quality management (non-ASIL) hardware requirement.
  • the microprocessor 2A may have a higher level designation, such as ASIL B.
  • microprocessors 1 A and 2 A may be used predominantly for control and microprocessor IB may be used predominantly for checking
  • microprocessor 1A and 2A are microprocessor 1A and 2A.
  • microprocessor IB a minimal set of functions microprocessor IB is used for control and for these functions microprocessor 1 A is used for checking.
  • f. providing independence between the 2 high integrity Automotive Safety Integrity Level (ASIL D) microprocessors (1A and IB) and the high throughput processing quality management microprocessor (microprocessor 2A) with ASIL B monitoring for external microprocessor hardware.
  • ASIL D Automotive Safety Integrity Level
  • microprocessor 2A high throughput processing quality management microprocessor
  • FIG. 2 shows an exemplary power supply monitoring system representing a portion the power supply architecture of Fig. 1. in accordance with one or more of the principles of the invention disclosed herein.
  • Fig.2 is a schematic representation that includes several voltage-generating sources and two voltage-monitoring
  • microprocessors represented by microprocessor “A” and microprocessor “B.”
  • a battery and switching regulator provide an initial voltage source to the system. This source is monitored by an external circuit that produces discrete
  • overvoltage/undervoltage outputs depending on the state of the monitored voltage.
  • the outputs of this monitor are read by microprocessor A.
  • a power management IC (PMIC) sourced by the switching regulator generates additional independent voltage sources, each of which are monitored by OV/UV monitors and read by
  • Microprocessor A has the ability to generate additional independent voltage sources using power provided by both the switching regulator and PMIC. Voltages that are generated by microprocessor A are read by
  • microprocessor B through OV/UV monitoring circuits.
  • the PMIC fails to provide power to microprocessor A
  • one or more generated voltages from microprocessor A will also fail.
  • the switching regulator fails to provide power to the PMIC and microprocessors, all generated voltages from the PMIC and microprocessors will fail in result.
  • bit As used herein, the terms "bit,” “byte,” “nibble,” and “word” are applied in the context of computer programming and operating systems and are applied as those terms are understood in the computing art.
  • Fig. 3 there is shown a representative table which illustrates how a full group of binary nibble values (16 in total) are selected and then segregated into Set 1 and Set 2.
  • Set 1 is used for forming an upper byte of a word
  • Set 2 is used for forming a lower byte of the word, as will be described.
  • Set 1 is balanced, meaning each nibble includes an even number of l's and/or 0's.
  • Set 2 is unbalanced, meaning each nibble comprises an odd number of l's and/or 0's.
  • each set is chosen such that they have a hamming distance of at least 2, meaning that to move from one value to another within the set, at least 2 bits must change value. Also shown in Fig. 3 is the corresponding decimal value and hex value for each nibble.
  • FIG. 4 there is shown in tabular form how the upper byte, selected from Set 1 values, and the lower byte, selected from Set 2 values, are combined to form either a control word or diagnostic word.
  • the upper significant nibble of the upper byte is used to identify the particular voltage being monitored.
  • the lower significant nibble of the upper byte is used to identify whether the particular word is a "control" word or "diagnostic” word, as will be discussed.
  • the lower byte is used to identify the status of the particular voltage being monitored, as will be discussed.
  • FIG. 5 there is illustrated a simplified table showing examples of lower byte values of Fig. 4 that are selected to identify four monitored voltage states: (l)"no” over voltage, “no” under voltage; (2) “no” over voltage, “yes” under voltage; (3)”yes” over voltage, “no” under voltage; and (4) "yes” over voltage, “yes” under voltage.
  • the lower byte which represents the control status value, is assigned a distinct hex value, such as 74, B2, Dl and E8, corresponding to statuses (1) through (4), respectively.
  • Fig. 6 is similar to Fig. 5, but adds columns showing how the upper significant nibble and lower significant nibble are selected to form the lower byte values.
  • both the upper significant nibble and the lower significant nibble of the lower byte are chosen from the unbalanced Set 2 of Fig. 3.
  • the upper significant nibble of the lower byte comprises, e.g., values 7, B, D and E, all having a hamming distance of 2.
  • the lower significant nibble of the lower byte comprises, e.g., values 4, 2, 1 and 8, all also having a hamming distance of 2.
  • the four distinct lower bytes have a hamming distance of 4.
  • the lower byte preferably comprises an upper significant nibble and a lower significant nibble which are not compliments of one another.
  • Fig. 7 is similar to Fig. 6, but adds columns showing how the control value is stored, depending on whether or not the control status value matches a defined value.
  • the algorithm checks to see if the monitored value falls within the group of defined values, which in Fig. 7 are 74, B2, Dl and E8. If so, the respective value corresponding measured voltage status is stored. If not, the algorithm stores another selected value such as, e.g., FO, indicating that the control status value falls outside the group of four expected values.
  • Fig. 8 is similar to Fig. 7, but adds a diagnostic path table to the control path table of FIG. 7.
  • columns showing the upper byte of the control path word are added to the control path.
  • another table representing a diagnostic path is added.
  • the USNb of the upper byte value (e.g., 3) corresponds to the particular voltage Va being monitored.
  • Other monitored voltages would be identified by a different value, such as another one of the USNb values of the upper byte listed in Fig. 4.
  • the LSNb for the upper control byte value is shown as F - this identifies the word as associated with the control path.
  • the diagnostic path table follows the format of the control path table, but there some important differences. Of particular importance is the lower byte, which has a value that is a "mirror" image of the control byte for the same corresponding voltage status. See, e.g., for a "no" over voltage, "no" under voltage status, the control status value is 74, while the diagnostic status value is 47.
  • the diagnostic "no match" value is set at OF, which is also a mirror image to the control
  • the USNb is selected (from the table of 4) to be different from the control upper byte USNb (e.g., A).
  • the LSNb of the diagnostic upper byte is set at 0, which is the other value available from the respective column in Fig. 4.
  • Fig. 9 is similar to Fig. 7, but adds a second monitored voltage (Vb) table to the first monitored voltage (Va) table of Fig. 7.
  • Vb monitored voltage
  • Va monitored voltage
  • Fig. 7 the only difference between the Va table and the Vb table is a difference in the USNb of the upper byte.
  • the USNb has a value of 3
  • the USNb has a value of A. Both of these values have been selected from Fig. 4.
  • the control and diagnostic upper bytes are unique for each supply voltage to be monitored. This prevents a modern compiler from optimizing the algorithm and combining identical tables, which may increase the impact of systematic design errors.
  • Figs. 10a and 10b are essentially a combination of Figs. 8 and 9.
  • the control and diagnostic tables for both monitored voltages Va and Vb are shown, with the values therein being similar to those in Figs. 8 and 9.
  • Fig. 11 describes the process for which a monitoring input is analyzed and stored. Independent control and diagnostic paths individually read and store the monitoring inputs using the tables described in Fig. 8. The stored results of these paths are eventually compared to distinguish a true hardware failure from a systematic failure.
  • the monitoring input is read by the control path. This input is assigned a word value in step 110 based on Fig. 8.
  • the algorithm confirms that the word matches a set of defined values. If it does not match, a "no match" value is stored for the control lower byte at step 122. Otherwise, the upper byte of the word is masked at step 124 and the lower byte is checked against a set of defined lower byte values at step 126. If it does not match defined byte values, a "no match" value is stored for the control lower byte, again at step 122. Otherwise, the matching byte value is stored for the control lower byte, step 128.
  • the diagnostic path performs a similar operation to the control path, as represented by steps 200-228.
  • the monitoring input is read by the control path at step
  • the diagnostic word is checked to match a defined set of valid diagnostic words at step 220. If it does not match, a "no match" value is stored for the diagnostic lower byte, step 222. As a result, a "no match” value is also stored for the control lower byte in step 250.
  • This additional step allows the diagnostic path to be functionally different from the control path, and thus reduces the risk of systematic error by preventing a modern compiler from combining the paths for optimization.
  • diagnostic word matches a defined value
  • its upper byte is masked (step 224), and the lower byte is compared against defined values (step 226).
  • a lower byte that does not match a defined value is stored as a "no match" value for the diagnostic and control lower bytes. Otherwise, the matching value is stored as the diagnostic lower byte (step 228).
  • control and diagnostic paths store defined lower byte values, these bytes are expected to be complementary nibble "mirrors", introduced in Fig. 8. If they match as “mirrors” in step 300, the control lower byte is stored as a valid voltage status (step 310). If the nibbles do not match as "mirrors” then a software or systematic error has occurred in the algorithm, and a "no match" value is ultimately stored for the control lower byte (step 320).
  • Fig. 12 describes the process in which a processor uses the algorithm in Fig. 10 and compares multiple voltage monitors through independent diagnostic paths to determine the cause of a diagnostic failure and its location.
  • This flowchart describes one particular case of diagnosing a failure in Fig. 1, where an input voltage to microprocessor A is analyzed along with an output voltage from processor A.
  • step 400 sources voltages to microprocessor A are read by
  • microprocessor A itself.
  • microprocessor B reads the generated voltage outputs from processor A.
  • both microprocessors perform the Control/Diagnostic algorithm described in Fig. 10.
  • microprocessor B analyzes diagnostic statuses across multiple voltages. Therefore, source voltage statuses stored in microprocessor A will be sent to microprocessor B in step 420. In this transmission, no checksum or cyclic redundancy check (CRC) is performed. This is due to the fact that the algorithm in Fig. 10 guards against data/memory corruption without needing to slow down a transmission by using checksum or CRC.
  • CRC cyclic redundancy check
  • Step 520 involves microprocessor B analyzing voltage status bytes from the two independent paths in the circuit. If both status bytes are good, no failure is diagnosed (step 530). If the output voltage of microprocessor A is bad, and the source voltage of microprocessor A is good, then a failed output voltage is diagnosed (step 540). If the source voltage is bad and the output voltage fails as a result, then a source voltage failure is diagnosed (step 550). Lastly, if there is a source and output algorithm failure, then a non-hardware failure is diagnosed (step 560), which could be the cause of a systematic design error.
  • Figs. 13a and 13b are similar to Figs. 10a and 10b, but show the control and diagnostic tables for both Va and Vb in the event the associated microprocessor has Single bit Error Correction and Double bit Error Detection (SECDEC). In this case, the entire lower byte need not be compared.
  • the control and diagnostic paths can be compared either with the lower byte USNb or LSNb. To mitigate for systematic errors with an SECDEC microprocessor, it is preferable to compare the USNB for the processor's voltage supply and the LSNb for the complementary processor's voltage supply. As noted in Figs.
  • the Va control stored value (for a no-no voltage status is the USNb for the lower byte (e.g., 7), while the Vb control stored value is the LSNb for the lower byte (e.g., 4).
  • the LSNb of the "mirrored" lower byte is used (e.g., 7).
  • the USNb of the "mirrored" lower byte is used (e.g., 4).

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Test And Diagnosis Of Digital Computers (AREA)
PCT/US2014/048986 2013-07-30 2014-07-30 Power supply diagnostic strategy WO2015017590A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201480042821.XA CN105452985B (zh) 2013-07-30 2014-07-30 电力供应诊断策略
DE112014003506.8T DE112014003506T5 (de) 2013-07-30 2014-07-30 Diagnosestrategie für Stromversorgung

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201361860032P 2013-07-30 2013-07-30
US61/860,032 2013-07-30

Publications (1)

Publication Number Publication Date
WO2015017590A1 true WO2015017590A1 (en) 2015-02-05

Family

ID=52432407

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2014/048986 WO2015017590A1 (en) 2013-07-30 2014-07-30 Power supply diagnostic strategy

Country Status (3)

Country Link
CN (1) CN105452985B (de)
DE (1) DE112014003506T5 (de)
WO (1) WO2015017590A1 (de)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070174698A1 (en) * 2005-12-22 2007-07-26 International Business Machines Corporation Methods and apparatuses for supplying power to processors in multiple processor systems
US20080244279A1 (en) * 2007-03-27 2008-10-02 Atmel Corporation Methods and Apparatus to Detect Voltage Class of a Circuit
US20090089604A1 (en) * 2007-09-28 2009-04-02 Malik Randhir S Apparatus, system, and method for event, time, and failure state recording mechanism in a power supply
US20090138740A1 (en) * 2007-11-22 2009-05-28 Inventec Corporation Method and computer device capable of dealing with power fail
EP2555004A1 (de) * 2011-08-04 2013-02-06 Electronic Systems Protection, Inc. Versorgungsspannungsmonitor

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3898090B2 (ja) * 2002-05-29 2007-03-28 ローム株式会社 複数の電源出力を有する電源装置
CN100523856C (zh) * 2006-10-18 2009-08-05 英业达股份有限公司 电子元件的模拟治具以及供电异常检测方法
US9037928B2 (en) * 2012-01-01 2015-05-19 Mosys, Inc. Memory device with background built-in self-testing and background built-in self-repair

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070174698A1 (en) * 2005-12-22 2007-07-26 International Business Machines Corporation Methods and apparatuses for supplying power to processors in multiple processor systems
US20080244279A1 (en) * 2007-03-27 2008-10-02 Atmel Corporation Methods and Apparatus to Detect Voltage Class of a Circuit
US20090089604A1 (en) * 2007-09-28 2009-04-02 Malik Randhir S Apparatus, system, and method for event, time, and failure state recording mechanism in a power supply
US20090138740A1 (en) * 2007-11-22 2009-05-28 Inventec Corporation Method and computer device capable of dealing with power fail
EP2555004A1 (de) * 2011-08-04 2013-02-06 Electronic Systems Protection, Inc. Versorgungsspannungsmonitor

Also Published As

Publication number Publication date
CN105452985B (zh) 2020-03-13
DE112014003506T5 (de) 2016-05-04
CN105452985A (zh) 2016-03-30

Similar Documents

Publication Publication Date Title
US9952948B2 (en) Fault-tolerance pattern and switching protocol for multiple hot and cold standby redundancies
WO2018221136A1 (ja) 異常判定装置、異常判定方法及び異常判定プログラム
JP4319547B2 (ja) マルチコア型冗長制御コンピュータシステム、自動車における安全上重要な用途のためのコンピュータネットワーク並びにその使用
US9604585B2 (en) Failure management in a vehicle
EP2095234B1 (de) Speichersystem mit ecc-einheit und weitere verarbeitungsanordnung
US20070277023A1 (en) Method For Switching Over Between At Least Two Operating Modes Of A Processor Unit, As Well Corresponding Processor Unit
EP3249534B1 (de) Fahrzeugsteuerungsvorrichtung
US20040168101A1 (en) Redundant memory system and memory controller used therefor
US10585772B2 (en) Power supply diagnostic strategy
US10037016B2 (en) Hybrid dual-duplex fail-operational pattern and generalization to arbitrary number of failures
US20100306601A1 (en) Integrated microprocessor system for safety-critical control systems
KR20130119452A (ko) 오류 허용 아키텍쳐를 갖는 마이크로프로세서 시스템
WO2009153623A1 (en) Memory system with redundant data storage and error correction
US9672095B2 (en) Safety level specific error response scheme for mixed criticality systems
JP2004518578A (ja) 分配された安全上重要なシステムのコンポーネントの駆動方法
JP5089693B2 (ja) 制御装置および機能制御方法
JP2004533686A (ja) 安全上重要な制御のための方法、マイクロプロセッサシステムおよびその使用
US8522075B2 (en) Storage system having storage devices for storing data and control devices for controlling the storage devices
US20040199824A1 (en) Device for safety-critical applications and secure electronic architecture
WO2018116400A1 (ja) 制御装置および制御装置の故障時処理方法
US20190250578A1 (en) Method and device for computing data models in safety-critical systems
CN105452985B (zh) 电力供应诊断策略
EP3955112A1 (de) Verfahren und vorrichtung zur erkennung von speicherfehlern
CN115348133A (zh) 冗余备份系统的备份控制方法、装置、设备及介质
JP2009505188A (ja) 少なくとも部分的に安全上重大なプロセスの制御または調節用マイクロプロセッサシステム

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201480042821.X

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14831289

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 112014003506

Country of ref document: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14831289

Country of ref document: EP

Kind code of ref document: A1