1. Field of the Invention
The invention relates to a method and device for a switchover in a computer system having at least two processing units.
2. Description of Related Art
A method for detecting errors in a comparative mode is described in WO 01/46806. In this context, the data are processed in parallel in a processing unit having two processing units ALU's and are compared. In that document, if there is an error (soft error, transient error), both ALU's work independently of each other until the erroneous data have been removed, and a renewed (partially repeated) redundant processing can be undertaken. This assumes that both ALU's work synchronously with each other, and that the results can be compared in a clock accurate manner.
Methods are known in the related art as to how one may switch over between a comparative mode for error detection, in which tasks are executed redundantly, and a performance mode for achieving greater working capacity. The condition is that the processing units for the comparative mode are synchronized with respect to each other. For this, it is required that the two processing units are able to be stopped and that they work synchronously with clock accuracy, in order to be able to compare to one another the resulting data as they are written into the memory. This calls for interventions in the hardware, and individual design approaches are proposed.
In European Patent EP 0969373 A2, by contrast, a comparison of the results of redundantly working processing units or processing units are assured even when they work asynchronously with respect to each other, that is, not with clock accuracy, or having an unknown clock pulse offset.
Voting systems are known from the aircraft industry which are able to use inputs from standard computers, and are able to process these safely by a voter-basis decision, and thereby are able to trigger safety-relevant actions. One system which combines inter-processing unit and inter-control unit communications with each other is the FME system, in which, because of a high degree of redundancy, the system remains operational even in the case of individual or even a plurality of errors, and which was developed by DASA for space flight (Urban, et al.): A survivable avionics system for space applications, Int. Symposium on Fault-tolerant Computing, FTCS-28 (1998), pp. 372-381). This system can even tolerate Byzantine errors (that is, especially nasty errors in a case where not all components receive the same information, but a schemer even “deliberately” distributes different wrong information to various components). Such a system is commercially applicable, because of its high cost, for particularly critical systems which are manufactured in very small numbers. A cost-effective design approach is not known that can be produced in large numbers and additionally has switchover facilities. Therefore there exists the object of creating a switchover and compare unit which permits switching over the operating mode of two or more processing units, and, in this context, is able to do without interventions in the structure of these processing units and also requires no additional signals for this purpose. In this context, it is supposed to be possible to compare to one another various digital or analog signals from various processing units in a comparative mode. In this context, under certain circumstances, this comparison should even be possible if the processing units are operated using different clock pulse signals, and not synchronously with respect to one another. Beyond that, it is the object of the present invention to make available means and methods which make it possible also to deal with asynchronicities.
Advantageously, a method is used for switching over in a computer system having at least two processing units, one switchover means and a comparative means, switching over taking place between at least two operating modes, and a first operating mode corresponding to a comparative mode, and a second operating mode corresponding to a performance mode; at least one first information and a second information being compared in the comparative mode, wherein the comparative means and the switchover means are provided structurally external to the processing units, at least one buffer memory being provided and at least one of the informations to be compared in the comparative mode being buffer-stored for a specifiable and/or ascertainable time in the buffer memory in such a way that the first and the second information are able to be directly compared to each other.
Advantageously, a method is used in which, from the specifiable and/or ascertainable time for which at least one of the informations is buffer-stored, an asynchronicity information, especially a time error is ascertainable.
One method is used advantageously, in which an occupancy of the memory in the buffer memory is ascertainable, which indicates the number of informations are located in the buffer memory.
Advantageously, one method is used in which the time error is ascertained by time recording means, especially a counter element being provided, a time value being ascertained and this being compared to a specifiable maximum time value.
One may advantageously use a method in which an asynchronicity information is ascertained in that the occupancy ascertained is compared to a specifiable maximum occupancy.
One method is advantageously used in which, as a function of this occupancy, a synchronization information is output.
One method is advantageously used in which, as a function of the asynchronization information ascertained, a synchronization information is output.
Advantageously, a method is used in which the asynchronization information is evaluated in a monitoring means, particularly a watchdog.
Advantageously, a method is used in which, in the case of a synchronization information a delay signal is involved, using which at least one processing unit is stopped at least from time to time.
Advantageously, a method is used in which a specification that the next output datum is to be compared takes place by a compare signal.
Advantageously, a method is used in which an identifier is assigned to an information which is to be compared, by which the comparison is triggered.
Advantageously, a device is used for a switchover in a computer system having at least two processing units, the device including compare means and switchover means which are designed in such a way that switching over takes place between at least two operating modes, and a first operating mode corresponds to a comparative mode and a second operating mode corresponds to a performance mode; at least one first information and a second information being compared in the comparative mode,
wherein the comparative means and the switchover means are provided structurally external to the processing units, at least one buffer memory being included which is designed in such a way that at least one of the informations to be compared in the comparative mode is buffer-stored for a specifiable and/or ascertainable time in the buffer memory in such a way that the first and the second information are able to be directly compared to each other.
Advantageously, a device is used in which a buffer memory region is provided for each processing unit.
Advantageously, a device is used in which the buffer memory is a FIFO memory.
Advantageously, a device is used in which a buffer memory is assigned to each processing unit.
Advantageously, a device is used in which a buffer memory, especially a FIFO memory, is assigned to each processing unit.
Advantageously, a device is used in which means, especially a counting element, are provided which are designed in such a way that these, from the specifiable and/or ascertainable time, for which at least one of the informations are buffer-stored, ascertain an asynchronization information, especially a time error.
Advantageously, a device is used in which means are provided which are designed in such a way that they ascertain an occupancy of the memory for the buffer memory, which indicates the number or quantity of data located in the buffer memory.
Advantageously, a device is used in which the means are designed in such a way that these ascertain an asynchronization information by comparing the ascertained occupancy to a specifiable maximum occupancy.
Advantageously, a device is used in which synchronization means are provided which are designed in such a way that these generate a synchronization information as a function of the asynchronization information.
Advantageously, a device is used in which monitoring means are provided, which are designed in such a way that it processes the asynchronization information.
Advantageously, a device is used in which in which, in the case of the monitoring means, monitoring means are involved that are external to the computer system, especially a watchdog.
Further advantages and preferred embodiments may be seen from the following specification.
a shows a generalized representation of a comparator.
c shows an upgraded representation of a comparator.
b shows a generalized representation of a switchover and comparative unit.
In the following text, an execution unit or a processing unit may designate both a processor/core/CPU, as well as an FPU (floating point unit), a DSP (digital signal processor), a co-processor or an ALU (arithmetic logical unit).
A system is examined of two or more processing units. Basically, in safety-relevant systems, there is the possibility of using such resources either for increasing the performance capability by providing the various processing units as much as possible with different tasks. Alternatively, some of the resources may also be used redundantly to one another, by providing them with the same task, and by detecting an error in the case of unequal results.
A plurality of modes is conceivable, depending on how many processing units there are. In a dual system, the two modes “compare” and “performance” exist as described above. In a triple system, besides the pure performance mode, in which all three processing units work in parallel, and the pure comparative mode, in which all three processing units calculate redundantly and a comparison is made, one may also implement a 2-out-of-3 voting mode, in which all three processing units calculate redundantly and a majority selection is undertaken. A mixed mode may also be implemented in which, for instance, two of the processing units calculate redundantly with respect to each other, and the results are compared, while the third processing unit is working on a different, parallel task. In a system of four or more processing units, still further combinations are clearly conceivable.
The object to be attained is that processing units made available are able to be inserted variably in a system in operation, without making necessary an intervention in the existing structure of these processing units (e.g. for synchronization purposes. In one special embodiment, each processing unit is to be able to operate at its own clock pulse, that is, the processing of the same tasks for comparison purposes may also be done asynchronously with respect to each other.
This object is attained in that a universal, broadly insertable IP is created, which makes possible a switchover of the operating modes (e.g. comparative mode, performance mode or voting mode) at any desired point in time without previous switching off of the processing units, and manages the comparison or the voting of the data streams that are possibly asynchronous to one another. This IP is able to be designed as a chip, or it may be integrated on a chip together with one or more processing units. Furthermore, it is not a condition that this chip is made up of only one piece of silicon, it is also entirely possible that it is implemented made up of separate components.
In order to ensure synchronicity between different processing units, signals are required which prevent a steadily continuing program processing of individual processing units. For this, a WAIT signal is usually provided. If an execution unit does not have a wait signal, it may also be synchronized via an interrupt. For this, the synchronization signal (e.g. M140 in
This procedure is continued until the synchronicity has been produced (e.g. other processing units deliver the expected comparative data). However, an exact clock pulse synchronicity, and especially an in-phase condition with other processing units, can only be guaranteed conditionally, using this method. It is therefore to be recommended that, when using the interrupt signal for synchronization, the data to be compared are buffer-stored in the UVE before they are compared.
The advantage of the present invention is that any commercially available standard structures may be inserted, because no additional signals are required (no intervention in the hardware structure) and any desired output signals of these components are able to be monitored, which, for instance, are used directly for controlling actuators. This includes the checking of converter structures, such as DAC's and PWM's, which up to now, according to the state of the art, are not so directly able to be checked by a comparison.
Provided the checking for individual tasks or SW tasks is not required, however, switching over into a performance mode is also possible, in which different tasks are distributed to various processing units.
An additional advantage is that, in a comparative mode or a voting mode, not all data have to be compared. Only the data to be compared or voted are synchronized to one another in the switchover unit and the comparative unit. The selection of these data is variable (programmable) because of the specific response of the switchover and compare unit, and is able to be adjusted to the respective processing unit architecture as well as to the application involved. This being the case, the use of diverse μC's or software parts is easily possible, since only results which can be meaningfully compared are also actually compared.
Furthermore, access to a (for instance, external) memory can be monitored thereby, or even only the control of external I/O modules. Internal signals are able to be checked via the software-controlled additional output to the switchover module on the external data bus and/or address bus.
All control signals for the comparative operations are generated in the preferably programmable switchover unit and voting unit, and the comparison also takes place there. The processing units (e.g. processors), whose outputs are to be compared to one another, are able to use the same program, a duplicated program (which additionally makes possible the detection of errors during memory access) or even a diversified program for the detection of software errors. In this context, not all the signals made available by the processing units have to be compared to one another, but it is also possible, by using an identifier (address signal or control signal) to provide certain signals for the comparison, or not to do that. This identifier is evaluated in the switchover and comparative device and the comparison is controlled thereby.
Separate timers monitor deviations in the time response beyond a specifiable limit. Some, or even all modules of the switchover and comparative unit are able to be accommodated integrated on a chip, on a common board, or even spatially separated. In the last case, the data and control signals are exchanged with each other via suitable bus systems. Registers are then locally written on via the bus system, and control the procedures by using the data stored therein and/or the address/control signals.
The switchover unit includes at least one control register B15, which has at least one memory element for a binary sign (bit) B16, which switches over the mode of the comparative unit. B16 is able to assume at least the two values 0 and 1, and may be set or reset by signals B20 or B21 of the processing units or by internal processes of the switchover unit.
If B16 is set to the first value, the switchover unit operates in the comparative mode. In this mode, all arriving data signals from B20 are compared to the data signals from B21, provided certain specifiable compare conditions of the control signals and/or address signals from signals B20 and B21 are satisfied, which signal the validity of the data and the provided comparison for these data.
If these compare conditions on both signals B20 and B21 are satisfied at the same time, the data from these signals are immediately compared, and, if they are unequal, an error signal B17 is set. Now, if the compare condition from either the signals B20 and B21 is satisfied, the corresponding synchronization signal B40 or B41 is set. In the corresponding processing unit B10 or B11, this signal has the effect of stopping the processing, and therewith the prevention of the step enabling the corresponding signals, which up to then were not able to be compared to one another. Signal B40 and/or B41 remains set until the corresponding compare condition of the respectively other processing unit B21 or B20 is satisfied. In this case the comparison is carried out, and the corresponding synchronization signal is reset.
In the non-simultaneous making available, that was described, of the data to be compared by the two processing units, in order to ensure the comparison, it is either necessary to hold the data and compare conditions of the respective processing unit to the corresponding value until the corresponding synchronization signal B40 or B41 is reset, or the data first made available have to be stored in the switchover unit until the comparison takes place.
Depending on which processing unit first makes data available, that one has to wait with further processing of its program or its processes until the other processing unit makes available the corresponding comparison data.
In one special embodiment of the switchover unit according to
If B16 is set to the second value, synchronization signals B20 and B21 as well as error signal B17 are always inactive, and are set to the value 0, for instance. Also, no comparison takes place, and the two processing units work independently of each other.
The comparator is an essential component of the system according to the present invention. It is shown in its simplest form in
A second class of specific embodiments may be distinguished to the effect of what degree of synchronicity the two inputs M510, M511 (or M610, M611) have to have. One possible variant is characterized by clock-pulse-wise synchronicity, that is, the comparison of the data is able to be carried out in one clock pulse. A slight change is created in that, in response to a fixed phase shift between the inputs, a synchronous delay element is used, which delays the corresponding signals, for example, by whole numbered or even half clock pulse periods. Such a phase shift is useful in avoiding common cause errors, that is, these are errors which can have a simultaneous effect on a plurality of processing units. Therefore, in
Furthermore, in the comparator specific embodiments are able to be distinguished according to how signal M520 (or M620) is generated. In one preferred specific embodiment, input signals M510, M511 (or M610, M611) are applied to the output and the connection is made interruptible by switches. The particular advantage of these variants is that, for switchover between performance mode and possibly various comparative modes the same switches may be used. Alternatively, the signals may also be generated from intermediate buffers internal to the comparator.
A last class of specific embodiments may be distinguished to the effect of how many inputs are present at the comparator and how the comparator is to react. In the case of three inputs, a majority voting, a comparison of all three or a comparison of only two signals may be undertaken. In the case of four or more inputs, correspondingly more variants are conceivable. These variants are preferably to be coupled with the various operating modes of the overall system.
In order to represent the general case, a generalized representation of a switchover unit and a comparative unit is shown in
With the aid of this figure, it can be shown how the various conceivable modes may be created. To this end, each figure includes the logical component of a switching circuit logic N110. The component does not have to exist as such, but what is decisive is that its function is present. Switching circuit logic N110 first of all specifies how many output signals there are at all. Furthermore, it specifies which one of the input signals contribute to which one of the output signals. In this context, one input signal may contribute to exactly one output signal. Formulated differently in mathematical form, the switching circuit logic thus defines a function that assigns to each element of the set (N140, . . . , N14n) an element of the set (N160, . . . , N16n).
The function of processing logic N120 then specifies for each output N16i in which form the inputs contribute to this output signal. This component, too, must not be present as a separate component. Decisive is once again that the described functions are implemented in the system. In order to describe the different variation possibilities by way of example, it should be assumed without limiting the generality, that output N160 is generated by signals N141, . . . , N14m. If m=1, this simply corresponds to switching of the signal, if m=2, signals N141, N142 are compared. This comparison may be implemented in a synchronous or asynchronous manner; it may be carried out bit-by-bit, or only to significant bits or even having a tolerance band.
If m≧3, there are several possibilities.
A first possibility is to compare all signals, and if at least two different values are present, to detect a fault, which may be optionally signaled.
A second possibility is to make a k-out-of-m selection (k>m/2). This may be implemented by the use of comparators. As an option, a fault signal may be generated when one of the signals is detected to be deviating. A fault signal that possibly differs therefrom may be generated when all three signals are different.
A third possibility is to provide these values to an algorithm. This may represent, for instance, the forming of an average value, a median value, or the use of a fault-tolerant algorithm (FTA). Such an FTA is based on deletion of extreme values of the input values and to implement a type of averaging over the remaining values. This averaging may be undertaken over the entire set of remaining values or preferably over a partial set which is easy to form in HW. It is not always necessary in this case actually to compare the values. In the mean value generation, for instance, only addition and division is required; FTM, FTA or median require partial sorting. If appropriate, here, too, a fault signal may optionally be output, given sufficiently high extreme values.
These different listed possibilities of processing a plurality of signals to one signal are denoted as compare operations, for the sake of briefness.
Thus, it is the task of the processing logic to establish the exact shape of the comparative operation for each output signal, and thus also for the appertaining input signals. The combination of the information of switching logic N110 (that is, the function named above) and the processing logic (that is, the establishment of the comparative operation per output signal, that is per functional value) is the mode information, and this determines the mode. In the general case, this information is naturally multivalued, that is, not able to be represented by one logical bit. Not all conceivable theoretical modes are meaningful in any given implementation, and preferably the number of allowable modes will be restricted. It should be emphasized that, in the case of only two execution units, where there is only one comparative mode, the whole information is able to be condensed to only one logical bit.
A switchover from a performance mode to a comparative mode is, in general, characterized in that execution units which are copied towards various outputs in the performance mode, are copied in the comparative mode towards the same output. Fortunately, this is implemented by there being a subsystem of execution units in which, in the performance mode, all input signals N14i, which are to be taken into account in the subsystem, are switched directly to the corresponding output signals N16i, whereas, in the comparative mode, all are copied towards an output. Alternatively, such a switchover may also be implemented by changing pairings. This shows, that in the general case, one is not able to speak of the performance mode and the compare mode, although, in any given form of the present invention, the set of permitted modes can be limited to such an extent that this is the case. However, one may always speak of a switchover from the performance mode into the compare mode (and vice versa).
Controlled by software, one may switch over between these modes dynamically during operation. In this context, the switchover is triggered, for example, via the execution of special switchover instructions, special instruction sequences, explicitly identified instructions or by the access to certain addresses by at least one of the execution units of the multiprocessor system.
Output signals M180, M181, that are not guided into the UVE, and internal signals of a processing unit may also be compared at least with respect to their calculated value, by outputting this value at outputs M120, M121 for the purpose of comparison. The corresponding may also be carried out with input signals M190, M191, which do not come via M100.
In order to monitor unit M100, it may be possible for selected or even all signals M160, M161 to read them back via M170, M171 or even M190, M191. Thereby one may ensure even in the comparative mode that erroneous signals are detected from unit M100. Because of a suitable switch-off path, to which (in an OR link) M100, M110, M111 have access, a fail-silent behavior of the entire system may be produced.
In
Optionally, there may be additional control registers, such as M240, which includes the maximum allowable time difference (in numbers of clock pulses) between the processing units for controlling an internal or external watchdog, as well as M241 having the time difference value (number of clock periods), beginning at which the fastest processor is to be intermittently stopped or delayed using WAIT signals or interrupt signals, in order, for example, to prevent an overflow of data registers.
In status register M220, besides the error bit, there is also stored, for instance, how great the clock pulse offset between the processing units is, instantaneously. To do this, for instance, at least one timer M230 is always started by one processing unit if one especially identified data word (e.g. determined via address signal and control signal) is first made available, and the value of the timer is always copied into the status register when the corresponding data value of the second processing unit is made available. Beyond that, the timer is preferably set in such a way that even at different program sequences corresponding to the WCET (worst case execution time) it is guaranteed that all processing units have to supply one data point. If the specified value of the timer is exceeded, an error signal is emitted.
Outputs M120, M121 of the processing units are to be stored in a buffer memory M250, M251 in M100, especially for the compare mode, if digital data are involved and they are not able to be made available with clock accuracy. Preferably, this memory is embodied as FIFO. If this memory only has a depth of 1 (register), one should take care, for instance, by wait signals, that the output of additional values is delayed until the comparison has taken place, in order to avoid a data loss.
In addition, there is a compare unit M210, which compares the digital data from input memories M250, M251, the direct inputs M120, M121 or M170, M171 with one another. This compare unit is also able to compare serial digital data (e.g. PWM signals) with one another, if, for instance, the serial data can be received in memory unit M250, M251 and converted to parallel data, which are then compared in M210. In the same way, asynchronous digital input signals M170, M171 are able to be synchronized via additional memory units M270, M271. Same as for input signals 120, 121, these are preferably intermediately buffered in a FIFO. The switchover between performance mode and compare mode takes place by setting or resetting the mode bits in the control register, whereby, for instance, corresponding interrupts are caused in the two processing units. The comparison itself is caused by data M120, M121 that are made available, as well as the appertaining addresses and control signals M130, M131. In this context, certain signals from M120 and M130 or M121 and M131 are able to function as an identifier which indicates whether a comparison of the assigned data is to take place.
This is a further specific embodiment compared to the simple switchover in
In this compare unit, analog data are also able to be compared to one another in an analog compare unit M211 that is specially suitable for this. But this presupposes that the output of the analog signals takes place sufficiently synchronously with one another, or that, in the analog compare unit, storage is provided of the digitized data by an ADC implemented there (for this, see further comments belonging with FIGS. 12 to 14). The synchronicity is able to be achieved by comparing to one another the digital outputs of the processing units (data, address signals and control signals) as described above, and by letting the processing unit, that is too fast, wait. For this purpose, one may also pass the digital signals, which are processed as source of the analog signals in the processing unit, via outputs M120, M121 to unit M100, although these signals are otherwise not needed externally. This redundant comparison in addition to the comparison of the analog signals takes care that an error in the computation is able to be detected earlier, and besides that, this simplifies the synchronization of the processing units. The comparison of the analog signals effects an additional error detection for the DAC (digital to analog converter) of the processing unit. In other structures of the DCSL architectures such a possibility does not exist. A comparison is also possible for analog input signals from the peripheral units. In particular, where redundant sensor signals of the same system parameter are involved, no additional synchronization measures are then required, but rather only possibly a control signal that indicates the validity of the sensor signals. The implementation of a comparison of analog signals will be shown in detail.
Various specific embodiments in the control register are conceivable. It can be described via suitable bit combinations whether an error tolerance pattern should be used. Depending on the effort one puts into unit M300, one can additionally specify which type of error tolerance pattern (2 out of 3, median, 2 out of 4, 3 out of 4, FTA, FTM . . . ) one would like to use. Moreover, it can be configurably set up which output to switch through. Specific embodiments may also be formed according to which components could have an influence on this configuration and for which piece of data.
The output signals of the participating processing units are then compared to one another in the switchover unit, Since the signals are not necessarily processed at clock accuracy, buffer storage of the data is required. In this context, data can also be compared in the switchover unit which are passed to the switchover unit at a greater time difference by the various processing units. By the use of a buffer storage (e.g. developed as a FIFO memory, first in-first out, or even in a different buffer form), first of all, a plurality of data may also be received by one processing unit, while other processing units are not making any data available yet. In this context, one measurement for the synchronicity of the two processing units is the occupancy of the FIFO memory. If a certain specifiable occupancy is exceeded, the processing unit that is most advanced in the processing is intermittently stopped either by a WAIT signal that is present or by suitable interrupt routines, in order to wait for the processing units that are making slower progress in the processing. The monitoring, in this context, should be extended to all externally available signals of a processing unit; this also includes analog signals or PWM signals. In the switchover unit, structures should be provided for this which permit making a comparison of such signals. It is provided additionally that a maximum time deviation between the data to be compared is specified and monitored using at least one timer.
In the general case, if more than two processing units are connected to one another by a common switchover unit, one control register is required for each of these processing units. A special execution of these control registers is explained in
The (n+1) lower bits B500x to B50nx of the respective control register Cx are unequivocally assigned to the n+1 processors/processing units. Bit B514x of control register Cx switches over between compare/voting on the one hand and parallel work on the other hand, and corresponds to the value of B16 from
Bit B513x indicates whether the respective processing unit is ready for comparison (ready), bit B512x controls synchronization signal (WAIT or INTERRUPT) and bit B511x may be used to prepare the respective processing unit x for the comparison by an interrupt. Correspondingly, bit B5110x controls an interrupt which switches the processing unit back into parallel mode.
If B50ik and B50kk of control register Ck are set to one, (0≦i, k≦n), this means in this specific embodiment that the outputs of processing unit i are to be compared to those of processing unit k. If, in addition, B50jk is also equal to 1, then voting has to take place between i, j and k, and the voting result is output at output k of UVE (0≦i, j, k≦n). For this purpose, for each group of processing units a special type of voting may be determined, or even only a plural comparison, as was enumerated before in the explanation for Figure M4. In general, all bits B50ik have to be set for processing units i that are to be compared/voted (in control register Ck), if the voting result is to be output at output k of UVE. It is possible to have a parallel output at other outputs.
A one in B50ii of control register i (0≦i≦n) indicates that output i of the compare unit is to be active. If all control registers Ci carry a one (i=0, 1, . . . n) only in the corresponding memory locations B50ii, then all processing units are working in performance mode using any different programs desired and their own output signals. If all n+1 lower bits B50ik are equal to one (i=0, 1, . . . n), and if, besides, B514k is set, then the output signals of all processing units are selected by voting, and output to output k of UVE; at n=1 only a comparison takes place.
In the following discussion it is described, for example, how a sequence can look during transition to a compare/voting in a system having several processing units.
Bit B514i in control register Ci is set in order to activate the comparison or the voting. This bit may be set both by the processing unit itself and by the switchover and compare unit as a function of certain system states, time conditions or other conditions (such as accesses to certain memory regions, errors or implausibilities). If bits B50ii and B50ki are set with B514i, then bits B511i and B511k are automatically set by UVE, and interrupts are triggered thereby in processing units and k. These interrupts have the effect that the processing units jump to a certain program location, carry out certain initialization steps for the transition to the compare mode, and then output a response (ready) to the switchover and compare unit. The ready signal has the effect of automatically resetting interrupt bit B511i in respective control register Ci of the processing unit, and at the same time setting wait bits B512i. When all wait bits of the participating processing units have been set, they are simultaneously reset by the switchover and compare unit. The processing units then begin with the processing of the program parts that are to be monitored. In one advantageous specific embodiment, writing into a control register Ci using a set bit B514i is prevented by locking (HW or SW). In a meaningful way, this has the effect that the configuration of the comparison cannot be changed during processing. A change in control register Ci can only be made after resetting bit B514i. This resetting effects interrupts in the respective processing units by setting bits B510x in the control registers of all participating processing units for transition to normal mode (parallel method of operation).
The consistency of all control registers with one another is monitored in accord with user specifications, and in case of an error, an error signal is generated which is a component of the status data. Thus, for example, it should not occur that a processing unit is used at the same time for several independent comparing or voting processes, because synchronization is then not guaranteed. However, what is conceivable is a compare even of several processing units without an output of the data signals, but only for the purpose of generating an error signal in response to inequality.
In another specific embodiment, the data input in several or all control registers of the processing units, participating in a comparison or a voting, is to be undertaken in the same way, that is, the corresponding bits of these processing units are to be set there in the same way, optionally with the exception of their own bit i, which controls the output.
If an error occurs during the comparison, the error bit is set in the respective control register. During voting, the piece of data of the respective processing unit is ignored; during a simple comparison, the output is blocked.
All the data that are not available at the right time, before expiration of the programmed time, are treated as errors. Resetting of the error bits takes place as a function of the system, and optionally makes possible a reintegration of the respective processing unit.
In case the processing units and/or the voter is are not situated in a spatially concentrated manner, decentralized voting is also possible, in connection with a suitable bus system according to
The resetting of the compare bits and voting bits in a control register having active output bits has the effect of an interrupt in the participating processing units, which are then led back again into a parallel method of operation. In this context, each processing unit is able to have a different vector address which is controlled separately. The program processing can also take place then from the same program memory. However, the accesses are separate and, as a rule, to different addresses. If the security-relevant part is low in comparison the parallel modes, one should consider whether a dedicated program memory having a duplicated security part would perhaps require less expenditure.
The data memory is also able to be used in common, in performance mode. The accesses then take place one after another, for instance, using the AHB/ABP bus.
As a special matter we should still mention that the error bits have to be evaluated by the system. In order to assure the switching off in case of an error, the security-relevant signal should be implemented redundantly in a suitable form (for instance, in a one-of-two code).
In the UVE's up to now, according to
For this, in addition, a handshake interface is required (
In one special specific embodiment, storage elements M800 are designed as FIFO memories (first in, first out).
The circuits for comparing analog signals from
In this context, B100 is an operational amplifier to whose negative input B101 a signal B141 is connected, which is connected via a resistor B110 having the value Rin to input signal B111, at which voltage value V1 is present. Positive input B102 is connected to signal B142 which, via resistor 120 having the value Rin is connected to input B121, at which the voltage value V2 is present. Output B103 of this operational amplifier is connected to output signal B190, which has a voltage value Vout. Signal B190 is connected via resistor B140 having the value Rf to signal B141, and Signal B142 is connected via resistor B130 having the value Rf to signal B131, which bears the voltage value of the analog reference point Vagnd. The output voltage can be calculated using the above voltage and resistance values according to the following formula:
Vout=Rf/Rin(V2−V1). (1)
If the differential amplifier is operated only with a positive operating voltage, as is usual in the case of a CMOS, a voltage between the operating voltage and digital ground is selected as analog ground Vagnd, usually the average potential. If the two analog input voltages V1 and V2 are only slightly different, output voltage Vout will have only a slight difference Vdiff from the analog ground (positive or negative).
With the aid of two comparators it is now tested whether the output voltage lies above Vagnd+Vdiff (
In
This is achieved by dimensioning resistors B150, B160, B170 and 3180 with their values R1, R2, R3 and R4 with relation to fixed reference voltage Vref, which is present at signals B211 and B311, as follows:
Vref=(Vagnd+Vdiff)*R2/(R1+R2) (2)
Vref=(Vagnd−Vdiff)*R4/(R3+R42) (3)
Vdiff=((V2maxV1min)*Rf/Rin)−Vagnd (4)
In this context, V2max is designated as the maximum tolerated voltage value of V2 at signal B121, and V1min is designated as the minimum tolerated voltage value of V1 at signal Bill. The reference voltage source may be made available externally, or implemented by an internally implemented bandgap (temperature-compensated and operating voltage-independent reference voltage). In equation (4), the maximum tolerated difference Vdiff is determined from the maximum positive deviation V2max and the appertaining maximum negative deviation V1min, that is, (V2max−V1min) is the maximum tolerated voltage deviation of redundant analog signals from one another, that are to be compared to one another.
If one of the voltage values at the two signals B290 or B390 (Voben or Vunten) becomes positive, then there is a greater deviation of the analog signals present than should be tolerated. If the processors which supply these analog signals are synchronized, an error is thus present that has to be stored, and could possibly lead to the switching off of the output signals. The synchronicity is a given if, for instance, the ready signal in the control register of the corresponding processing units is active, or certain digital signals are sent to the UVE which signal a certain state of the respective analog signal, and with that also the value to be compared, in the sense of an identifier. A circuit that stores the error is shown in
For low speed requirements, converters according to a counting principle may also be used which, for instance, using the input voltage or the input current have the effect of a corresponding constant charging or discharging of a capacitor connected to an integrator. The time required for this is measured and put into relation with the time necessary in the opposite direction for discharging or charging the same capacitors (integrators) using a reference voltage source or a corresponding reference current. The time unit is measured in clock pulses, and the number of clock pulses required is a measure for the analog input value. Such a method is, for instance, the dual slope method, in which the one slope is determined by the discharge corresponding to the analog value, and the second slope is determined by the reloading corresponding to the reference value (see also http://www.exstrom.com/journal/adc/dsadc.html).
ADC B600 in
For the comparison of the buffer stored digital and analog signals, the sequence of the storing and possibly the A bit (B730 or B830) as well as identifier B720 or B820 is checked in connection with converted digital value B710 or digital value B810. There is also the possibility, for instance, because of a different bit width, of accommodating the analog and the digital signals in separate memories (two FIFO's). The comparison then takes place in an event-controlled manner: whenever a value of a processor is transmitted to UVE, it is checked whether the other participating processors have already made available such a value. If that is not the case, the value is stored in the corresponding FIFO or memory, and in the other case the comparison is carried out directly, the FIFO being able to be used here too as the memory. For example, a comparison is always finished when the participating FIFO's are not empty. In the case of more than two participating processors or compare signals, it may be ascertained by voting whether all signals are admitted for distribution (fail silent behavior) or whether perhaps the error state is signaled only by an error signal.
Number | Date | Country | Kind |
---|---|---|---|
102004051950.1 | Oct 2004 | DE | national |
102004051992.7 | Oct 2004 | DE | national |
102004051964.1 | Oct 2004 | DE | national |
102004051937.4 | Oct 2004 | DE | national |
102004051952.8 | Oct 2004 | DE | national |
102005037241.4 | Aug 2005 | DE | national |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/EP05/55519 | 10/25/2005 | WO | 4/25/2007 |