The present invention relates to methods and devices for performing switchover operations in a computer system having at least two processing units.
A method for detecting errors in a comparison mode is described in PCT International Patent Application No. WO 01/46806. In the process, the data are processed and compared in parallel in a processing unit having two ALU processing units. In the event of an error (soft error, transient error), it provides for both ALUs to work independently of one another until the faulty data are removed and a new (partially repeated) redundant processing can be undertaken again. This requires that both ALUs be able to operate synchronously in relation to each other and that the results be able to be compared in a process that maintains clock accuracy.
Conventional methods provide for switching between a comparison mode used for detecting errors, in which tasks are executed redundantly, and a performance mode used for achieving a higher level of performance. This requires that the processing units be mutually synchronized for the comparison mode. To that end, it is necessary that both processing units be able to be stopped and that they operate synchronously in a process that maintains clock accuracy, to provide for the result data to be compared with one another as they are written into the memory. This requires that interventions be made into the hardware; various approaches are proposed.
On the other hand, European Published Patent Application No. 0 969 373 describes that a comparison of the results of redundantly operating processing units or processing units be ensured even when they are operating asynchronously in relation to one another, i.e., not in a process that maintains clock accuracy, or with an unknown clock pulse offset.
From the aircraft industry, voting systems are conventional, which are able to use inputs of standard computers and, by employing a majority decision, to reliably process the same, and thus trigger actions which are critical to safety. One system that combines inter-processing unit and inter-control unit communication is the FME system, which, because of a high level of redundancy, remains operational even in the case of several or even many errors, and which was developed by DASA for aerospace applications (Urban, et al. A Survivable Avionics System for Space Applications, Int. Symposium on Fault-Tolerant Computing, FTCS-28 (1998), pp. 372-381). This system can even tolerate Byzantine errors (i.e., particularly virulent errors, where not all components receive the same information, but rather various erroneous information is even “deliberately” distributed by a schemer to different components). Due to the considerable outlay required, such a system is commercially feasible for especially critical systems which are manufactured in very small numbers. A cost-effective approach that can be manufactured in large numbers and, in addition, also offers switchover options, is not known.
Example embodiments of the present invention provide a switchover and comparison unit which will make it possible to switch the operating mode of two or more processing units and which, in the process, is able to do so without intervening in the structure of these processing units and also does not require any additional signals for this purpose. In this context, it is intended that various digital or analog signals from various processing units be able to be compared to one another in a comparison mode. Under certain circumstances, the intention is that this comparison even be possible when the processing units are operated using different clock signals and not synchronously in relation to one another. Example embodiments of the present invention provide devices and methods which will make a synchronization possible, even without intervening in the hardware.
A method for performing switchover operations in a computer system having at least two processing units, one switchover device, and one comparison device is employed, switchover operations being carried out between at least two operating modes, and a first operating mode corresponding to a comparison mode and a second operating mode corresponding to a performance mode, information being compared in the comparison mode, wherein, in the case of asynchronous operation of the at least two processing units in the comparison mode, a synchronization signal is applied to one interrupt input of at least one of the processing units.
A method is employed where the synchronization signal is a delay signal, e.g., a wait signal.
A method is employed where, in response to the synchronization signal, at least one processing unit is prompted to no longer process any information.
A method is employed where the at least one processing unit is prompted for a specifiable period of time, to no longer process any information.
A method is employed where the synchronization signal has a higher priority than at least one interrupt signal.
A method is employed where the synchronization signal has the highest priority as compared to all interrupt signals.
A method is employed where, in response to the synchronization signal, at least one processing unit is prompted to execute an interrupt routine.
A method is employed which provides for at least one buffer memory to be included, and for at least one of the pieces of information to be compared in the comparison mode to be buffer-stored in the buffer memory for a time period that is dependent on the synchronization signal.
A method is employed which provides for asynchronism information, in particular a timing error, to be ascertainable from the time period for which the at least one piece of information is buffer-stored.
A method is employed which, in the case of the buffer memory, provides for an occupancy level of the memory to be ascertainable, which indicates the number of pieces of information contained in the buffer memory.
A method is employed in which the timing error is ascertained in that a time-recording device, in particular a counter element, is provided, a time value being ascertained, and this time value being compared to a predefinable maximum time value.
A method is employed in which asynchronism information is ascertained in that the determined level of occupancy is compared to a predefinable maximum level of occupancy.
A method is employed where a comparison signal specifies that a next output datum should be compared.
A method is employed in which a datum, that is to be compared, is assigned an identifier which triggers the comparison.
A device for performing switchover operations in a computer system having at least two processing units is employed, the device including a switchover device and a comparison device, and switchover operations being carried out between at least two operating modes, and a first operating mode corresponding to a comparison mode, and a second operating mode corresponding to a performance mode, information being compared in the comparison mode, characterized in that the device is designed such, in the case of asynchronous operation of the at least two processing units in the comparison mode, a synchronization signal is applied to one interrupt input of at least one of the processing units.
A device is employed, in which, structurally, the comparison device and the switchover device are provided externally to the processing units.
A device is employed in which at least one buffer memory is provided.
A device is employed in which the buffer memory is a FIFO memory.
A device is employed in which a buffer memory is assigned to each processing unit.
A device is employed in which a buffer memory, in particular a FIFO memory, is assigned to each processing unit.
A device is employed, in which device(s), in particular a counter element, are provided, which are designed to determine asynchronism information, in particular a timing error, from the predefinable and/or ascertainable time period for which at least one of the pieces of information is buffer-stored.
A device is employed, in which device(s) are provided, which are designed such that, in the case of the buffer memory, they ascertain an occupancy level of the memory indicating the number of pieces of information contained in the buffer memory.
A device is employed in which the device(s) are designed to ascertain asynchronism information in that the determined level of occupancy is compared to a predefinable maximum level of occupancy.
A device is employed in which synchronization device(s) are provided which are designed to produce synchronism information in dependence upon the asynchronism information.
A device is employed in which a monitoring device is provided which is designed to process asynchronism information.
A device is employed in which the monitoring device, in particular a watchdog, is external to the computer system.
Other features and aspects of example embodiments of the present invention are described in greater detail below with reference to the appended Figures.
a shows a generalized representation of a comparator.
c shows an expanded representation of a comparator.
b shows a generalized representation of a switchover and comparison unit.
In the following, an execution unit or processing unit may denote both a processor/core/CPU, as well as an FPU (floating point unit), a DSP (digital signal processor), a co-processor or an ALU (arithmetic logical unit).
A system having two or more processing units is considered. In principle, safety-critical systems provide the option of using such resources to enhance performance by assigning different tasks to the various processing units to the greatest extent possible. Alternatively, some of the resources may also be used redundantly relative to one another, by assigning the same task to them and recognizing an error in the case of a disparate result.
Depending on how many processing units there are, a plurality of modes is possible. In a two-unit system, the two modes “comparison” and “performance” exist, as described above. In a three-unit system, besides the pure performance mode in which all three processing units work in parallel, and the pure comparison mode in which all three processing units calculate redundantly and a comparison is made, it is also possible to realize a 2-out-of-3 voting mode, in which all three processing units calculate redundantly and a majority selection is made. In addition, a mixed mode may be realized as well in which, for instance, two of the processing units calculate redundantly in relation to one another and the results are compared, while the third processing unit executes a different, parallel task. In a four or more processing-unit system, it is self-evident that still other combinations are possible.
The available processing units in a system are to be used in a variable manner during operation, without necessitating an intervention in the existing structure of these processing units (for example, for synchronization purposes). An example embodiment provides for each processing unit to be able to operate at its own clock pulse, i.e., be able to execute the same tasks for comparison purposes asynchronously in relation one another as well.
This objective is achieved by producing a universal, widely usable IP, which allows the operating modes (for example, comparison mode, performance or voting mode) to be switched at any desired point in time without switching off the processing units in advance, and manages the process of comparing or voting of the possibly mutually asynchronous data streams. This IP may be designed as a chip, or it may be integrated on one chip, together with one or more processing units. In addition, it is not required that this chip be made from only one piece of silicon; it is entirely possible that it be made from separate components as well.
To ensure synchronous operation among various processing units, signals are required that prevent execution of the programs of individual processing units from continuously advancing. To that end, a WAIT signal is typically provided. If an execution unit does not have a wait signal, it may also be synchronized via an interrupt. For this purpose, the synchronization signal (for example, M140 in
This procedure is continued until synchronous operation is established (for example, other processing units deliver the expected comparative data). However, this method is only able to conditionally ensure a precise clock synchronism and, in particular, phase equality with other processing units. Thus, when using the interrupt signal for synchronization purposes, it is recommended that the data to be compared be buffer-stored in the SCU before they are compared.
Example embodiments of the present invention permit the use of any commercially available standard structures because no additional signals are required (no interventions in the hardware structure), and any given output signals from these components, used, for example, to directly control actuators, may be monitored. This includes the checking of converter structures, such as DACs and PWMs, which, previously under conventional arrangements, have not been able to be directly checked in this manner using a comparison process.
To the extent that there is no need to check individual tasks or SW tasks, however, the switch may also be made to a performance mode in which different tasks are distributed among various processing units.
Another aspect is derived in that, in a comparison or voting mode, there is no need for all of the data to be compared. Only the data to be compared or voted are synchronized with one another in the switchover and comparison unit. The process of selecting these data may be variable (programmable) because of the selective response of the switchover and comparison unit, and it may be adapted to the particular processing unit architecture, as well as to the application. Thus, diverse PCs or software components may also be readily used, since only results which lend themselves to a meaningful comparison, are also actually compared.
Thus, in addition, every access to a (for example, external) memory or also only the control of external I/O modules may be monitored. Internal signals may be checked via the software-controlled additional output to the switchover module on the external data bus and/or address bus.
All control signals for the comparison operations are generated in the, e.g., programmable switchover and voting unit, and the comparison takes place there as well. The processing units (for example, processors), whose outputs are to be compared with one another, may use the same program, a duplicated program (which additionally allows the detection of errors during memory access), or also a diversified program, to detect software errors. In the process, there is no need for all of the signals supplied by the processing units to be compared with one another; rather, an identifier (address signal or control signal) may also be used to designate or not designate certain signals for the comparison. This identifier is evaluated in the switchover and comparison device, thereby permitting control of the comparison operation.
Separate timers monitor deviations in the time response beyond a specifiable limit. Some or even all of the modules of the switchover and comparison unit may be integrated on one chip, accommodated on one common board or even in a spatially separate manner. In the latter case, the data and the control signals are exchanged via appropriate bus systems. Local registers are then written via the bus system and control the procedures by the data and/or addresses/control signals stored therein.
The switchover unit includes at least one control register B15, which has at least one memory element for a binary digit (bit) B16, which switches the mode of the comparison unit. At the least, B16 may assume the two values 0 and 1, and may be set or reset by signals B20 or B21 of the processing units or by internal processes of the switchover unit.
If B16 is set to the first value, then the switchover unit operates in the comparison mode. In this mode, all data signals incoming from B20 are compared to the data signals from B21, provided that certain specifiable comparison conditions of the control and/or address signals from signals B20 and B21 are met, which signal the validity of the data and the comparison specified for these data.
If these comparison conditions are simultaneously met for both signals B20 and B21, then the data from these signals are immediately compared, and, in the case of disparity, an error signal B17 is set. If only the comparison condition from either signals B20 or B21 is met, then the appropriate synchronization signal B40 or B41 is set. This signal has the effect of stopping the processing in the corresponding processing unit B10 or B11, and thus prevents onward propagation of the corresponding signals that, so far, have not been able to be compared with one another. Signal B40 or B41 remains set until the comparison condition in question of the other respective processing unit B21 or B20 is met. In this case, the comparison operation is performed, and the corresponding synchronization signal is reset.
To ensure the comparison in the case that the two processing units supply the data to be compared non-simultaneously, as described, it is either necessary that the data and comparison conditions of the respective processing unit be held to the corresponding values until the corresponding synchronization signal B40 or B41 has been reset, or that the data provided first in the switchover unit be stored until the comparison takes place.
The processing unit that is the first to make data available must wait before continuing to execute its program or its processes until the other processing unit supplies the corresponding comparison data.
An example embodiment of the switchover unit according to
If B16 is set to the second value, then synchronization signals B20 and B21, as well as error signal B17 are always inactive and are set to value 0, for example. Also, no comparison is carried out, and the two processing units operate independently of each other.
In the system according to an example embodiment of the present invention, the comparator is a component. It is shown in its simplest form in
An example embodiment may be distinguished by the degree of synchronism required of the two inputs M510, M511 (or M610, M611). One possible variant is characterized by clocked synchronism, i.e., the process of comparing the data may be carried out using one clock pulse. A slight variation arises when, given a fixed phase displacement between the inputs, a synchronous delay element is used, which delays the corresponding signals by whole numbered or even half clock pulse periods, for example. Such a phase displacement may be provided in avoiding common cause errors, i.e., errors which can simultaneously affect a plurality of processing units. For that reason, over and above the components from illustration M5, component M640, which delays the earlier input by the phase displacement, is introduced in
Moreover, in the comparator, example embodiments may be differentiated by the manner in which signal M520 (or M620) is generated. An exemplary embodiment provides for applying input signals M510, M511 (or M610, M611) to the output and for the connection to be interruptible by switches. An aspect of this variant is that the same switches may be used for switching between the performance mode and possible different comparison modes. Alternatively, the signals may also be generated from buffer memories that are internal to the comparator.
An example embodiment may be differentiated by how many inputs are present at the comparator and by how the comparator is to react. In the case of three inputs, a majority voting, a comparison of all three, or a comparison of only two signals may be undertaken. In the case of four or more inputs, an equal number of more variants is possible. For example, these variants are to be coupled to the various operating modes of the overall system.
To explain the general case,
This figure illustrates how the various possible modes may be produced. To this end, the logic component of a switching logic N110 is included in this figure. The component, as such, need not exist. It is merely important that its function be present. To begin with, it specifies how many output signals there actually are. In addition, switching logic N110 specifies which input signals contribute to which one of the output signals. In this context, one input signal may contribute to precisely one output signal. Formulated mathematically, the switching logic thus defines a function that assigns one element of set {N160, . . . , N16n} to each element of set {N140, . . . , N14n}.
For each of outputs N16i, the function of processing logic N120 then establishes in which form the inputs contribute to this output signal. This component, as well, does not necessarily need to be present as a separate component. Decisive, again, is that the described functions be implemented in the system. To describe the different possible variations exemplarily, it is assumed, without limiting universality, that output N160 is generated by signals N141, . . . , N14m. If m=1, this simply corresponds to the signal being switched through; if m=2, then signals N141, N142 are compared. This comparison may be implemented synchronously or asynchronously; it may be performed on a bit-by-bit basis, or only for significant bits or also using a tolerance range.
In the case that m≧3, a plurality of options is provided.
One first option provides for comparing all of the signals, and, in response to the existence of at least two different values, for an error to be detected, which may optionally be signaled.
A second option provides for making a k-out-of-m selection (k>m/2). This may be implemented through the use of comparators. An error signal may be optionally generated if it is ascertained that one of the signals is deviant. A possibly differing error signal may be generated when all three signals are different.
A third option provides for supplying these values to an algorithm. This may take the form of generating an average value, a median value, or of using a fault-tolerant algorithm (FTA), for example. Such an FTA is based on deletion of the extreme values of the input values and on a type of averaging of the remaining values. This averaging may be performed for the entire set of the remaining values or, e.g., for a subset that is easily formed in HW. In such a case, it is not always necessary to actually compare the values. In the averaging operation, it is merely necessary to add and divide, for example; FTM, FTA or median value require partial sorting. If indicated, an error signal may be optionally output here as well, given high enough extreme values.
For the sake of brevity, these various mentioned options for processing a plurality of signals to form one signal are described as comparison operations.
Thus, the task of the processing logic is to establish the exact form of the comparison operation for each output signal, and thus also for the corresponding input signals. The combination of the information of switching logic N110 (i.e., the function named above) and of the processing logic (i.e., the establishment of the comparison operation per output signal, i.e., per functional value) is the mode information, and this determines the mode. Generally, this information is naturally multi-valued, i.e., not representable by only one logic bit. Not all theoretically possible modes are practical in a given implementation; for example, the number of permitted modes will be limited. It is important to note that, in the case of only two execution units, where there is only one comparison mode, the entire information may be condensed into only one logic bit.
A switch from a performance mode to a comparison mode is generally characterized in that execution units, which, in the performance mode, are mapped to different outputs, are mapped to the same output in the comparison mode. This is, e.g., implemented in that a subsystem of execution units is provided, in which, in the performance mode, all input signals N14i, which are to be considered in the subsystem, are directly switched to corresponding output signals N16i, while, in the comparison mode, they are all mapped to an output. Alternatively, such a switchover operation may also be implemented by altering pairings. The explanation for this is that, generally, it is not possible to speak of the performance mode and the comparison mode, although, in an example embodiment, the number of permitted modes may be limited such that this general case does apply. However, it is always possible to speak of a switch from a performance mode to a comparison mode (and vice versa).
Software-controlled switchover operations between these modes may be dynamically carried out during operation. In this context, the switchover operation is triggered by the execution of special switchover instructions, special instruction sequences, explicitly identified instructions or in response to the accessing of specific addresses by at least one of the execution units of the multiprocessor system.
A two-processor system or a two pC system that includes a switchover and comparison unit M100 according to an example embodiment of the present invention is shown in greater detail in
Output signals M180, M181, which are not directed into the SCU, and internal signals of a processing unit may also be compared, at least with respect to their calculated value, by outputting this value to outputs M120, M121 for the purpose of comparison. Similar processes may also be carried out using input signals M190, M191, which do not arrive via M100. To monitor unit M100, it may be possible for selected signals or also for all signals M160, M161 to be read back via M170, M171 or also via M190, M191. This makes it possible to ensure in the comparison mode as well, that faulty signals from unit M100 are detected. Thus, using a suitable disabling path, to which M100, M110, M111 have access (in an OR operation), a fail-silence behavior of the entire system may be established.
A possible implementation of switchover and comparison unit M100 of
Optionally, there may be additional control registers, such as M240, that includes the maximum allowable time difference (in number of clock pulses) between the processing units for triggering an internal or external watchdog, as well as M241 having the time difference value (number of clock periods) above which the fastest processor is to be intermittently stopped or delayed by WAIT or interrupt signals, in order, for example, to prevent data registers from overflowing.
Also stored in status register M220, for example, besides the error bit, is the magnitude of the current clock pulse offset between the processing units. To that end, at least one timer M230 is always started by a processing unit, for example, whenever a data value specially marked (by address and control signals, for instance a specific address range) is first made available, and the value of the timer is clocked into the status register whenever the data value in question is made available by the second processing unit. Moreover, the timer is, e.g., set such that, even when working with different program flows, corresponding to the WCET (worst case execution time), it is ensured that all processing units must supply one piece of data. In the case that the specified value is exceeded by the timer, an error signal is output.
In M100, outputs M120, M121 of the processing units are to be stored in a buffer memory M250, M251, in particular for the comparison mode, provided that digital data are concerned and they are not able to be supplied in a process that maintains clock accuracy. This memory may be designed as a FIFO. If this memory has a depth of only one (register), then it must be ensured through the use of wait signals, for example, that the outputting of additional values is delayed until the comparison process has taken place, in order to avoid a loss of data.
In addition, there is a comparator unit M210, which compares the digital data from input memories M250, M251, direct inputs M120, M121 or M170, M171 with one another. This comparison unit is also able to compare serial digital data (for example, PWM signals) with one another, when, for example, the serial data are able to be received in memory unit M250, M251 and converted into parallel data, which are then compared in M210. In similar manner, asynchronous digital input signals M170, M171 are able to be synchronized via additional memory units M270, M271. As is also the case for input signals 120, 121, these are, e.g., buffered-stored in a FIFO. The switch between the performance mode and comparison mode is accomplished by setting or resetting the mode bit in the control register, thereby causing corresponding interrupts, for example, in the two processing units. The comparison itself is induced by the supplied data M120, M121, as well as the associated addresses and control signals M130, M131. In the process, specific signals from M120 and M130 or M121 and M131 may function as identifiers which indicate whether the assigned data are to be compared.
This example embodiment is a continuation of the simple switchover in
In this comparison unit, analog data may be compared with one another in an analog comparison unit M211 specially suited for this purpose. However, this presupposes that the analog signals are output synchronously enough with respect to one another, or that provision is made for the data digitized by an ADC implemented in the analog comparison unit to be stored in the same (in this regard, see further explanations regarding
Various example embodiments in the control register are possible. Suitable bit combinations may be used to describe whether an error detection pattern or an error tolerance pattern should be used. Depending on the degree of complexity of unit M300, the type of error tolerance pattern (2 out of 3, median, 2 out of 4, 3 out of 4, FTA, FTM . . . ) to be used, may be additionally specified. In addition, a configurable design is possible as to which output is to be switched through. Accordingly, one may then devise example embodiments as well, as to which components may influence this configuration for which piece of data.
The output signals from the processing units involved are then compared to one another in the switchover unit. Since the signals are not necessarily processed in a process that maintains clock accuracy, the data must be buffer-stored. In the process, data may also be compared in the switchover unit that are transmitted at a greater time difference by the various processing units to the switchover unit. Through the use of a buffer memory (designed, for example, as a FIFO memory: first in-first out, or also in a different buffer form), a plurality of data may also be received first from one processing unit, while other processing units do not supply any data yet. In this context, a measure of the synchronous operation of the two processing units is the occupancy level of the FIFO memory. If a specific, predefinable occupancy level is exceeded, then the processing unit that is the furthest advanced in the processing is intermittently stopped, either by an existing WAIT signal or by suitable interrupt routines, in order to wait for the processing units that are not advancing as quickly in the processing. In the process, the monitoring should be extended to include all externally available signals of a processing unit; this includes analog signals or PWM signals as well. This requires that structures that permit a comparison of such signals be provided in the switchover unit. Moreover, it is provided that a maximum time deviation be specified among the data to be compared and that it be monitored using at least one timer.
If, generally, more than two processing units are linked to one another by one shared switchover unit, then one control register is required for each of these processing units. An arrangement of these control registers is clarified in
The (n+1) low-order bits B500x through B50nx of the particular control register Cx are uniquely assigned to the n+1 processors/processing units. Bit B514x of control register Cx switches between comparison/voting, on the one hand, and parallel operation, on the other hand, and corresponds to the value of B16 from
If B50ik and B50kk of control register Ck are set to one (0≦i, k≦n), then, in this example embodiment, this means that the outputs of processing unit i are to be compared with those of processing unit k. If, in addition, B50jk is also equal to 1, then voting is to take place among i, j and k, and the voting result is output at output k of the SCU (0≦i, j, k≦n). To this end, for each group of processing units, a special type of voting or also of only a majority comparison, may be established, as explained previously with respect to illustration M4. Generally, all bits B50ik must be set for processing units i to be compared/voted (in control register Ck), when the voting result is to be output at output k of the SCU. A parallel outputting to other outputs is possible.
A one in B50ii of control register i (0≦i, ≦n) indicates that output i of the comparison unit is supposed to be active. If all control registers Ci carry a one (i=0, 1, . . . n) only in the corresponding memory locations B50ii, then all of the processing units are working in the performance mode using any given different programs and their own output signals. If all of the n+1 low-order bits B50ik are equal to one (i=0, 1, . . . n), and, moreover, B514k is set, then the output signals of all processing units are selected by majority decision (voting) and output to output k of the SCU; in the case of n=1, only one comparison is made.
The following describes exemplarily how a sequence might appear when the transition is made to a comparison/voting in a system having a plurality of processing units.
Bit B514i in control register Ci is set in order to activate the comparison or the voting process. This bit may be set by the processing unit itself, as well as by the switchover and comparison unit, as a function of specific system states, time conditions or other conditions (such as accesses to certain memory areas, errors or implausibilities). If, in response to B514i, bits B50ii and B50ki are set, then bits B511i and B511k are automatically set by the SCU, thereby triggering interrupts in processing units i and k. These interrupts cause the processing units to jump to a certain program location, certain initialization steps to be carried out for the transition to the comparison mode, and for an acknowledgment (ready) to then be output to the switchover and comparison unit. The ready signal causes interrupt bit B511i in control register Ci in question of the processing unit to be automatically reset and, at the same time, for wait bit B512i to be set. When all of the wait bits of the processing units taking part have been set, they are simultaneously reset by the switchover and comparison unit. The processing units then begin with the process of executing the program parts to be monitored. In accordance with an example embodiment, writing to a control register Ci having a set bit B514i is prevented by locking (HW or SW). This has the practical effect of ensuring that the configuration of the comparison cannot be changed during execution. A change in control register Ci is only possible after bit B514i has been reset. This resetting process produces interrupts in the respective processing units by setting bits B510x in the control registers of all participating processing units for the transition to the normal mode (parallel mode of operation).
The consistency of all control registers with respect to one another is monitored in accordance with user specifications, and, in the case of an error, an error signal is generated which constitutes part of the status information. Thus, for example, a processing unit must not be used simultaneously for a plurality of independent comparison or voting processes, because, then, synchronization will not be ensured. Possible, however, is a comparison of even a plurality of processing units, without outputting of the data signals, but rather only for the purpose of generating an error signal in the case of disparity.
An example embodiment provides that the entry in a plurality of or all control registers of the processing units participating in a comparison or a voting be made in a substantially identical fashion, i.e., the corresponding bits of these processing units are to be set there in a substantially identical fashion, in some instances with the exception of their own bit i, which controls the output.
If an error occurs in the comparison, the error bit is set in the respective control register. In a voting process, the piece of data of the respective processing unit is ignored; in a simple comparison, the output is blocked.
All data which are not available in time, before expiration of the programmed time, are treated as errors. The resetting of the error bits takes place as a system-dependent process and, if indicated, allows a reintegration of the processing unit in question.
In the case that the processing units and/or the voter are not spatially concentrated, a decentralized voting is also possible, in connection with a suitable bus system according to
The resetting of the comparison and voting bit in a control register having an active output bit produces an interrupt in the participating processing units, which are then returned to a parallel mode of operation again. Each processing unit may have a different vector address, which is administered separately. The program processing may then also be implemented via the same program memory. However, the accesses are separate and, typically, to different addresses. If the security-relevant part is negligible in comparison to the parallel modes, it should be considered whether a dedicated program memory having a duplicated security part would perhaps require less expenditure.
The data memory as well may be shared in the performance mode. The accesses then take place sequentially, using the AHB/ABP bus, for example.
As a special feature, it also should be mentioned that the error bits must be analyzed by the system. To ensure reliable deactivation in the case of an error, the security-relevant signals should be implemented redundantly in a suitable form (for instance, in the one-of-two code).
In the existing SCUs in accordance with
Moreover, a handshake interface is required (
In an example embodiment, memory elements M800 are designed as FIFO memories (first in, first out).
In the case of the circuits used to compare the analog signals of
In this context, B100 is an operational amplifier, to whose negative input B101 a signal B141 is switched through, which is linked via a resistor B110 having value Rin to input signal B111, at which voltage value V1 is present. Positive input B102 is connected to signal B142, which is connected via resistor B120 having value Rin to input B121, at which voltage value V2 is present. Output B103 of this operational amplifier is connected to output signal B190 which has voltage value Vout. Signal B190 is connected via resistor B140 having value Rf to signal B141, and signal B142 is connected via resistor B130 having value Rf to signal B131, which has the voltage value of analog reference point Vagnd. The output voltage may be calculated according to the following formula using the voltage and resistance values indicated above:
V
out
=Rf/R
in(V2−V1). (1)
If the differential amplifier is operated only at a positive operating voltage, as is typically the case for a CMOS, then a voltage between operating voltage and digital ground is selected as analog ground Vagnd, typically the mean potential. If the two analog input voltages V1 and V2 only differ slightly, then output voltage Vout will only exhibit a slight difference Vdiff to the analog ground (positive or negative)
At this point, two comparators are used to check whether the output voltage is above Vagnd+Vdiff (
Correspondingly, in
This is accomplished by dimensioning values Ri, R2, R3 and R4 of resistors B150, B160, B170 and B180 in relation to fixed reference voltage Vref, which is applied to signals B211 and B311, as follows:
v
ref=(Vagnd+Vdiff)*R2/(R1+R2) (2)
vref=(Vagnd−Vdiff)*R4/(R3+R4) (3)
V
diff=((V2max−V1min)*Rf/Rin)−Vagnd (4)
In this context, V2max denotes the maximally tolerated voltage value of V2 at signal B121, and V1min the minimally tolerated voltage value of V1 at signal B111. The reference voltage source may be made available externally, or implemented by an internally realized bandgap (temperature-compensated and operating voltage-independent reference voltage). In equation (4), the maximally tolerated difference Vdiff from the maximum positive deviation V2max and the corresponding maximum negative deviation V1min is determined; i.e., (V2max−V1min) is the maximally tolerated voltage deviation of redundant analog signals relative to one another, which are to be compared to one another.
If one of the voltage values at the two signals B290 or B390 (Vhigh or Vlow) is positive, then there is a greater deviation of the analog signals than should be tolerated. In the case that the processors which supply these analog signals are synchronized, then an error exists that must be stored and, if indicated, results in the output signals being switched off. Synchronous operation is given when, for example, the ready signal in the control register of the processing units in question is active, or when specific digital signals which signal a certain state of the analog signal in question and thus also the value to be compared in the sense of an identifier, are sent to the SCU. A circuit that stores the error is shown in
D-flip-flop B400 stores a 1, using clock pulse B403, if one of the two voltage values Vlow or Vhigh is present at signals B390 or B290 in positive form, that is, as a digital signal, has the value high; signal B421 is not active and no reset signal B402 is present. The error remains stored until the signal reset has been active at least once. Care should be taken when dimensioning the circuits of
For lower speed requirements, converters which work in accordance with the counting principle may also be used which, for instance, use the input voltage or the input current to effect a corresponding constant charging or discharging of a capacitor connected to an integrator. The time required for this is measured and related by ratio to the time needed in the opposite sense for discharging or charging the same capacitor (integrator) using a reference voltage source or a corresponding reference current. The time unit is measured in clock pulses, and the number of clock pulses required is a measure of the analog input value. Such a method is, for instance, the dual slope method, where the one slope is determined by the discharging in accordance with the analog value, and the second slope is determined by the recharging in accordance with the reference value (see also http://www.exstrom.com/journal/adc/dsadc.html).
ADC B600 in
To compare the buffer-stored digital and analog signals, the storing sequence and, in some instances, the A bit (B730 or B830), as well as identifier B720 or B820 are checked in connection with converted digital value B710 or digital value B810. It is likewise possible for the analog and the digital signals to be accommodated in separate memories (two FIFOs), for example, due to the difference in bit width. The comparison is then carried out as an event-controlled process: whenever a value of a processor is transmitted to the SCU, it is checked whether the other processors involved have already supplied such a value. If this is not the case, the value is stored in the corresponding FIFO or memory; otherwise, the comparison process is carried out directly, it being possible for the FIFO to be used as a memory here as well. A comparison process is always completed, for example, when the participating FIFOs are not empty. If there are more than two participating processors or comparison signals, a voting process may be used to ascertain whether all signals are permitted for the distribution process (fail silent behavior) or whether perhaps the error state is signaled only by an error signal.
Number | Date | Country | Kind |
---|---|---|---|
10 2004 051 937.4 | Oct 2004 | DE | national |
10 2004 051 950.1 | Oct 2004 | DE | national |
10 2004 051 952.8 | Oct 2004 | DE | national |
10 2004 051 964.1 | Oct 2004 | DE | national |
10 2004 051 992.7 | Oct 2004 | DE | national |
10 2005 037 239.2 | Aug 2005 | DE | national |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/EP05/55514 | 10/25/2005 | WO | 00 | 7/17/2008 |