Patent Application
20250217252
The present invention relates to a computer system and a method for improving safety and reliability of time-triggered computer systems. In particular, but not exclusively, the present invention relates to a time-triggered computer system which can perform comprehensive periodic (self) tests with a high level of diagnostic coverage without causing disruption to normal system operation.
A computer system usually has one or more “Commercial off the Shelf” (COTS) processors—for example, microcontrollers or microprocessors—and some software that will execute on such processor(s). The processors may each contain one or more processor cores. The software may be created, for example, using a programming language such as ‘C’.
In many cases, processors are “embedded” inside larger systems, including cars, aircraft, industrial and agricultural machinery, medical equipment, white goods and even in toys. Other related uses of computer systems include real-time “desktop” applications, such as air-traffic control and traffic management.
When creating such computer systems, developers must choose an appropriate system architecture. One such architecture is a “time-triggered” (TT) architecture. In this architecture the computer system executes tasks according to a predetermined task schedule. Implementation of a TT architecture will typically involve use of a single interrupt that is linked to the periodic overflow of a timer. This interrupt may drive a task scheduler (a simple form of “operating system”). The scheduler will—in turn-begin the execution of the system tasks (a process sometimes called “releasing” the tasks, “triggering” the tasks or “running” the tasks) at predetermined points in time. The tasks themselves are typically named blocks of program code that perform a particular activity (for example, a task may check to see if a switch has been pressed). Tasks are often implemented as functions in programming languages such as ‘C’.
Pont, M. J. (2001) “Patterns for Time-Triggered Embedded Systems”, Addison-Wesley/ACM Press (herein “Reference 1”), the entirety of which is hereby incorporated by reference, and Pont, M. J. (2016) “The Engineering of Reliable Embedded Systems: Developing software for ‘SIL 0’ to ‘SIL 3’ designs using Time-Triggered architectures” (Second Edition), SafeTTy Systems (herein “Reference 2”), the entirety of which is hereby incorporated by reference, provide further information about the implementation of different forms of conventional TT schedulers.
Reference 1 and Reference 2 also provide non-limiting examples of the kinds of tasks that may be executed in TT systems, for example “RS-232 data transmission”, “display updates” and “PID control” tasks, including full implementation details. Other examples of tasks may involve reading input data, performing calculations and generating outputs.
TT designs based on one or more processors can offer very predictable behaviour, making it comparatively easy to test and verify the correct operation of real-time computer systems that are based on such an architecture. This is one reason why TT designs are often used in safety-critical systems, high-integrity systems and in other products where system reliability and/or security are important design considerations.
In
In
Sometimes it is helpful (for example, during the design process) to think of this task sequence as a “Tick List”. Such a list lays out which task(s) will execute in each system “Tick”, and the order in which these executions will occur. For example, the Tick List corresponding to the task set shown in
Once the system reaches the end of the Tick List, it starts again at the beginning.
TT computer systems may employ several task schedules, for use in different system modes. For example,
The timing of the transition between system modes may not be known in advance (because, for example, the time taken for the plane shown in
In any computer system that has to operate safely for periods of hours or even years without support or testing by a technically-qualified operator, automated monitoring and self-testing is required. Such testing is usually split into two categories: Power-On Self Tests (POSTs) and Built-In Self Tests (BISTs). In this specification, these conventional self-tests may be referred to as internal POSTs (iPOSTs) and internal BISTs (iBISTs). In this context, ‘internal’ means that the POST or BIST is carried out within the system by the processor or processor core concerned (that is, the processor or processor core tests itself).
As the name suggests, POSTs are performed when power is applied to a computer system. If the POSTs are completed successfully, then the system will begin operating. Periodically during the system operation, BISTs will be performed to ensure that the system is still capable of operating correctly. Reference 2 also provides further information about POSTs and BISTs
An example of a conventional process 300 for performing POSTs and BISTs is illustrated in
If any of the POSTs fail which is determined in a third step 303, then the system—in this example—attempts to enter (and remain in) a Fail-Safe State at a fourth step 304. In such a state, it is assumed (for example) that all safety-related system outputs will be in a pre-determined configuration (e.g. ‘Logic 0’ in the case of digital outputs) in which the risk of harm to users of the system or those in the vicinity of the system is very low.
If all of the POSTs are passed, the system will begin to perform its normal operation in a fifth step 305. Periodically during the normal operation the system will check whether it needs to perform a BIST in a sixth step 306 and then perform any necessary BISTs in a seventh step 307. If a BIST fails which is determined in an eighth step 308, the system will again attempt to enter (and remain in) a Fail-Safe State in a ninth step 309. Each time a BIST is passed the system will perform a processor reset in a tenth step 310 and continue with its normal operation as indicated in the fifth step 305.
It will be appreciated that in a typical design the system will, after power is applied, keep operating until a fault is detected or power is removed from the system in a twelfth step 312.
It will also be appreciated that a single processor core of a processor may perform the steps discussed with respect to
It will be appreciated that many POSTs and BISTs will typically result in the system performing one or more processor resets. Examples of such tests are discussed in Reference 2.
As an example of a typical BIST, it will be appreciated that TT computer systems that are based on single or multiple processors will usually use some form of internal watchdog timer (iWDT) on each processor or processor core to check that the scheduler on the processor is running. In these circumstances, a task will be released periodically by the scheduler to feed the iWDT. If the scheduler fails to run as expected and the iWDT is therefore not fed correctly, then the iWDT is expected to reset the processor. When the processor or processor core detects that it has been reset as a result of an iWDT overflow, it will typically attempt to move the system into a Fail-Safe State.
Given the role that the iWDT plays in TT computer systems, it is important that this component is tested periodically during the system operation. Such a test might for example involve disabling the interrupt source that drives the scheduler. It will be appreciated that a full test of the iWDT in this way is likely to result in the system performing a processor reset and entering a Fail-Safe State. A further processor reset may then be required to return the processor to a normal operating mode.
Overall, it will be appreciated that the purpose of POSTs and BISTs is to determine whether the processor or processor core under test is operating correctly.
It will also be appreciated that the ‘self test’ nature of POSTs and BISTs raises two key challenges: [i] if the processor (or processor core) is not operating correctly, a failed test may report that it has completed successfully, or the result of a failed test may be interpreted incorrectly; [ii] if failure of a POST or BIST is interpreted correctly, then the (faulty) processor (or processor core) may not be able to enter a Fail-Safe State (or implement any other form of shut down or fault-recovery behaviour that may be required).
The traditional approach to dealing with failure of POSTs or BISTs is to add a form of dynamic switch (sometimes called an ‘external watchdog controller’-see Reference 2) to the system outputs. In a TT design, this dynamic switch will typically be fed from a task that is released by the scheduler (see Reference 2). If the dynamic-switch task is not released by the scheduler (or not released at the expected times) then the dynamic switch helps to ensure that all of the system outputs are held in a safe state.
It will be appreciated that the dynamic switch may be incorporated in a device such as a ‘System Basis Chip’ (SBC). Such SBCs will typically contain a watchdog element (an external watchdog controller) that is fed at pre-determined intervals by the processor or processor core that is being monitored. If the watchdog element is not fed at the correct time, the processor will be forced into a safe state. This is an implementation of what is referred to here as a dynamic switch. Note that such SBCs may also contain additional features (such as power-supply monitoring) as will be appreciated by a person skilled in the art.
The assumption is that it is possible to be highly confident that—in the event of failure of any iPOST or iBIST on the processor or processor core—this processor or processor core will be unable to refresh the dynamic switch.
An example of a conventional TT design 400 that employs a simple dynamic switch is shown schematically in
It will be appreciated that, without loss of generality, the control of this digital switch could be implemented by means of periodic ‘heartbeat’ messages sent over a communication bus (such as an SPI bus) to a System Basis Chip or similar device.
In the example shown in
The coolant flow rate will be determined by means of a sensor connected to a Digital-Input-A interface 406. It is assumed in this example that the flow rate is determined from a pulse chain that is generated by a suitable sensor and that a high pulse rate corresponds to a high (coolant) flow rate.
The threshold level can be also adjusted by means of this Digital-Input-A interface 406.
Processor-A 401 is also responsible for reporting the coolant flow rate over a CAN bus (to another system in the vehicle, such as the main Vehicle Control Unit) by means of a Comms-A1 interface 405. Processor-A 401 is also capable of monitoring (that is, reading back) messages that are sent on the CAN bus by Comms-A1 405 by means of the Comms-A2 interface 407.
Processor-A 401 is capable of monitoring its own digital outputs by means of feedback 404 from Digital-Output-A 403.
Processor-A 401 performs iPOSTs and iBISTs that (both) involve processor resets.
In this example, it is assumed that failure of an iPOST or iBIST will result in the system (task) scheduler being disabled. This will in turn mean that the sequence of pulses 409 that drive Switch-A 408 will be disabled. This will result in Switch-A (by means of its control output 410) [i] disabling Digital-Output-A (by means of its control input 411) and [ii] disabling Comms-A1 405 (by means of its control input 412). This behaviour is intended to ensure that Processor-A can neither enable the fuel cell nor report erroneous data over the CAN bus.
It will be appreciated that Switch-A 408 itself may need to be tested by means of iPOSTs and/or iBISTs. This is made possible by providing feedback 413 about the state of Switch-A 408 to Processor-A 401. This feedback link can be used to confirm that if the pulse chain 409 to Switch-A 408 is stopped (briefly) then Switch-A will ‘open’.
Again, the steps discussed with respect to
It will be appreciated that-when any form of iPOST or iBIST is performed—the processor or processor core concerned is testing itself. While use of a dynamic switch or similar mechanism should help to ensure that the system will (for example) enter a Fail-Safe State if a BIST fails, it may not always be possible to be confident that detection of processor (or processor core) failures based on a dynamic switch will be sufficient. It will be appreciated that this is the case because it is possible that a processor (or processor core) which fails a BIST (for example) will still be able to feed its dynamic switch.
In addition to the self-test nature of conventional POSTs and BISTs, it will also be appreciated that, in safety-related systems, two further issues need to be considered: [i] the nature of the tests to be performed (including the level of diagnostic coverage required); and [ii] the interval over which the BISTs need to be performed.
Turning first to the nature of the tests that need to be performed, it will be appreciated that the deterministic nature of TT designs makes it comparatively easy to model the operation of real-time computer systems that are based on such an architecture. This is a reason that TT designs are often used in safety-critical systems, high-integrity systems and in other products where system safety and/or reliability are important design considerations.
Processes for modelling TT designs are discussed in detail in Reference 2. As discussed in Reference 2, models of TT systems are necessarily based on various assumptions, including the following:
It will be appreciated that if any of these assumptions become invalid during the system operation, the system may not behave as expected in the field.
Some of the potential hazards and threats that may need to be considered are as follows:
It will be appreciated that many conventional TT designs incorporate run-time monitoring that is intended to ensure that the assumptions summarised above remain valid while the system is operating, even in the presence of such hazards and threats. This process is discussed in Reference 2.
As an example of the kind of monitoring that is performed in conventional TT designs, an internal ‘Task Execution-Time Monitoring Mechanism’ (iTETMM) is employed in most systems. One purpose of the iTETMM is to check that, during normal operation of a system, none of the tasks in the system takes longer to execute than their pre-determined ‘Worst-Case Execution Time’ (WCET). It will be appreciated that the iTETMM is a key safety mechanism in many computer systems because failure of a task to complete its operation within the WCET limit may indicate a significant underlying problem with the system. It will also be appreciated that if, in normal operation, the iTETMM detects that a task has exceeded its pre-determined WCET, it is typically expected that the iTETMM will attempt to move the system into a Fail-Safe State.
It will be appreciated that, during normal system operation, the iTETMM will be employed (typically every time a task is released) to check that the task does not exceed its WCET limit.
It will also be appreciated that the iTETMM itself needs to be tested, usually by means of POSTs and BISTs. As part of these tests, a fault that will force a task to have an execution time greater than its pre-determined WCET may be injected. A consequence of this is that a full test of the iTETMM may result in the system entering a Fail-Safe State. A processor reset may then be required to return the processor to a normal operating mode.
Overall, it will be appreciated that during normal operation of a TT computer system, monitoring mechanisms such as the iTETMM need to be: [i] used (that is, monitoring needs to be performed); and [ii] tested (for example, the iTETMM needs to be the subject of POSTs and BISTs, otherwise there cannot be confidence that the monitoring process performed by this mechanism will be carried out correctly).
It will be appreciated that POSTs and BISTs take time to complete and if not handled with care performing such tests may disrupt the normal system operation.
For most TT designs, performing tests of mechanisms such as the iTETMM during POSTs is usually comparatively straightforward because the system will not be performing safety-related activities immediately after it is powered on. It is therefore usually acceptable to take a little time (perhaps even a few seconds) to fully test a system with POSTs.
While performing POSTs may be comparatively straightforward in many designs, the same cannot always be said for BISTs.
In order to understand the potential impact of BISTs on the normal operation of a system, it is necessary to consider the frequency with which tests of monitoring mechanisms (such as the iTETMM) need to be carried out.
It will be appreciated that international safety standards define a value that is called ‘Process Safety Time’ (PST) in IEC 61508:2010 (herein “Reference 3”), the entirety of which is hereby incorporated by reference, and ‘Fault Tolerant Time Interval’ (FTTI) in ISO 26262:2018 (herein “Reference 4”), the entirety of which is hereby incorporated by reference. To paraphrase, PST/FTTI refers to the time interval between the occurrence of a failure in a computer system that has the potential to give rise to a hazardous event and the time by which a preventive action has to be taken by the computer system in order to prevent the hazardous event from occurring. In this context a hazardous event is one that may—for example—result in injury or death to someone using the system.
In many designs, the PST/FTTI represents the time interval between a failure occurring and the system entering a Fail-Safe State. In a typical system, the PST/FTTI may be in the region of 100 ms as described in NXP (2018) “MWCT101×S Manual”. Safety Document Number: MWCT101XSFSM Rev. 2, August 2018, the entirety of which is hereby incorporated by reference (herein “Reference 5”).
It will be appreciated that in many systems, the designer will wish to ensure that a complete set of BISTs can be completed within the PST/FTTI, in order to be confident that the system will be able to detect faults and enter a Fail-Safe State (or a similar safe state) within this interval.
Performing a complete set of BISTs on all safety mechanisms in a conventional TT computer system within the PST/FTTI often presents two significant challenges.
The first challenge is the impact on the system outputs and on the wider system configuration.
Performing BISTs on a given processor or processor core will often involve performing a processor reset (see Reference 2). Such resets can disrupt the system inputs, outputs and any communication links to other devices. Disrupting the outputs can interfere with units that are being monitored or controlled by the computer system that is performing BISTs. In some cases, performing a reset on a single processor in a computer system may mean that an entire network needs to restart. For example, in the control system for the hydrogen fuel cell that is shown schematically in
The second challenge is the impact of the BISTs on the system responsiveness.
It will be appreciated that many real-time computer systems may need to respond to external events (for example, data arriving from a sensor) in a time scale measured in milliseconds. While the processor or processor core is performing a BIST (and possibly an associated processor reset) it will not generally be able to respond to such events. This can present a significant challenge when designing many computer systems.
For example, returning to the fuel-cell example that is presented schematically in
Because of the potential impact on the system outputs, the wider system configuration and the overall system responsiveness, meeting the requirement to complete all BISTs within the PST/FTTI (that is, within around 100 ms) is rarely practical in traditional TT computer systems. For example, Reference 2 acknowledges that a complete set of BISTs should be performed within the PST/FTTI limit but then suggests that practical considerations means that an interval of between 30 seconds and an hour is more likely to be employed in traditional designs.
In some cases, even longer time intervals are proposed. For example, it is sometimes considered in conventional computer systems that failures of monitoring mechanisms such as the iTETMM can be considered as ‘latent faults’ or ‘dual-point’ faults (or similar). The argument made in this situation is that failure of the iTETMM to detect that a task has overrun would require both that: [i] the task overruns (which is considered to be a fault); and [ii] the iTETMM fails simultaneously (which is considered to be a second fault). Based on such an analysis a second FTTI interval is proposed for such ‘latent’ fault situations: this is sometimes known as the L-FTTI.
Intervals of 12 hours are typically set for the L-FTTI (as in Reference 5). As journey times for passenger cars are often assumed to be around 1 hour and trucks or buses around 10 hours (see Reference 4, Part 5, Section 9.4.2.4), this is often interpreted as meaning that tests of monitoring mechanisms (like the iTETMM) need only be performed during POSTs and not (at all) during BISTs. While this is clearly a convenient assumption for the system developer, it is not always clear that it can be justified when making a safety case for the system.
To summarise: [i] TT computer systems have highly deterministic behaviour that can be modelled at design time; [ii] the assumptions that underpin these models need to be tested at run time by means of monitoring mechanisms such as the iTETMM; [iii] the monitoring mechanisms themselves need to be tested at run time by means of POSTs and BISTs; [iv] throughout the time that the system is operating, BISTs that cover all of the monitoring mechanisms should preferably be completed within the PST/FTTI (rather than the ‘L-FTTI’).
In conventional TT computer systems, two key challenges have been identified: [i] when any form of POST or BIST is performed, the processor or processor core concerned is testing itself and whilst use of a dynamic switch or similar watchdog mechanism should ensure that the system will enter a Fail-Safe State if the test fails, it may not always be possible to be confident that watchdog-based detection of processor failures will be sufficient; and [ii] if carried out frequently, conventional BISTs may severely disrupt the normal system operation and as a result performing such tests on all monitoring mechanisms within the PST/FTTI is rarely considered to be practical.
Overall, there is a widespread need to be able to support effective BISTs when developing computer systems with a TT architecture. The traditional process of performing BISTs in such designs opens up a number of potential reliability and safety loopholes.
It is an aim of the present invention to at least partly mitigate the above-mentioned problems.
It is an aim of certain embodiments of the present invention to improve the reliability and safety of TT computer systems.
It is an aim of certain embodiments of the present invention to improve the reliability and safety of TT computer systems by providing a framework that provides a very high level of diagnostic coverage at run time.
It is an aim of certain embodiments of the present invention to improve the reliability and safety of TT computer systems by providing a framework that provides a comprehensive solution to the problem of performing effective BISTs.
It is an aim of certain embodiments of the present invention to perform BISTs on a computer system within the PST/FTTI.
It is an aim of certain embodiments of the present invention to help ensure detection of a processor or processor core that is not operating correctly.
It is an aim of certain embodiments of the present invention to help ensure detection of processor software that is not operating correctly.
It is an aim of certain embodiments of the present invention to perform BISTs without having to disrupt the computer system by performing a processor reset.
It is an aim of certain embodiments of the present invention to independently monitor the results of POSTs and BISTs performed on a processor or processor core, to ensure the tests have been performed correctly and to determine whether the processor or processor core is operating correctly.
It is an aim of certain embodiments of the present invention to help ensure that a processor enters a Fail-Safe State if it is determined that the processor or a processor core is not operating correctly.
It is an aim of certain embodiments of the present invention to help ensure that a computer system enters a Fail-Safe State if it is determined that one or more processors or processor cores is not operating correctly.
It is an aim of certain embodiments of the present invention to help ensure that a computer system enters a Fail-Operational State if it is determined that one or more processors or processor cores is not operating correctly and at least one processor or processor core is operating correctly.
According to a first aspect of the present invention there is provided a time-triggered computer system comprising:
Aptly, the second processor is further adapted to:
Aptly, the first processor and/or third processor is adapted to:
Aptly, the first processor is further adapted to:
Aptly, the second processor is further adapted to:
Aptly, the first processor is further adapted to:
Aptly, the first processor is adapted to:
Aptly, in each predetermined system mode the first processor is adapted to:
Aptly, in each predetermined system mode the first processor is further adapted to:
Aptly, the second processor is adapted to:
Aptly in each predetermined system mode the second processor is adapted to:
Aptly, in each predetermined system mode the second processor is further adapted to:
Aptly, the second processor is adapted to:
Aptly, the first processor is adapted to:
Aptly, the first processor is adapted to:
Aptly, the second processor is adapted to:
Aptly, the first processor is adapted to:
Aptly, the second processor is adapted to:
Aptly, the second processor is adapted to:
Aptly, the first processor and/or third processor is adapted to:
Aptly, the second processor is adapted to:
Aptly, the first processor and/or the third processor is adapted to:
Aptly, the first processor is further adapted to:
Aptly, the second processor is further adapted to:
Aptly, the first processor is further adapted to:
Aptly, the second processor is further adapted to:
Aptly, the first processor is further adapted to:
Aptly, the first processor is further adapted to:
Aptly, the second processor is further adapted to:
Aptly, the second processor is further adapted to:
Aptly, the computer system further comprises:
Aptly, the computer system further comprises:
Aptly, the first input comprises one or more digital input pins on the first processor.
Aptly, the second input comprises one or more digital input pins on the second processor.
Aptly, the first input and/or the second input further comprises external interfacing hardware configured to adapt voltages in the computer system environment to meet voltage requirements of the digital input pins.
Aptly, the first input comprises one or more analogue input pins on the first processor.
Aptly, the second input comprises one or more analogue input pins on the second processor.
Aptly, the first input and/or the second input further comprises external interfacing hardware configured to adapt voltages in the computer system environment to meet voltage requirements of the analogue input pins and provide any necessary filtering of input signals.
Aptly, the first input and/or the second input comprises a software and hardware interface to one or more serial communication buses (such as CAN or Ethernet or RS-232′ or SPI).
Aptly, the communication channel is a communication channel enabling the bi-directional transmission of data between the first processor and the second processor.
Aptly, the communication channel is used to synchronise activities on the first processor and the second processor using a form of Shared-Clock Scheduler.
Aptly, data transfers between the first processor and the second processor are supported by means of Tick Messages sent from the first processor to the second processor, or vice versa.
Aptly, data transfers between the second processor and the first processor are supported by means of Ack Messages sent from the second processor to the first processor, or vice vera.
Aptly, the communication channel comprises a standard serial protocol that is suitable for short-distance communication, such as ‘RS-232’ or SPI.
Aptly, the computer system further comprises:
Aptly, the first output is adapted to be set to a Fail-Safe-State if the first processor determines that the second processor has failed at least one said second POST.
Aptly, the first output is adapted to be set to a Fail-Safe-State if the first processor determines that the second processor has failed at least one said second BIST.
Aptly, the computer system further comprises:
Aptly, the second output is adapted to be set to a Fail-Safe-State if the second processor determines that the first processor has failed at least one said first POST.
Aptly, the second output is adapted to be set to a Fail-Safe-State if the second processor determines that the first processor has failed at least one said first BIST.
Aptly, the first processor is adapted to:
Aptly, the second processor is adapted to:
Aptly, the first output and/or the second output comprises a software and hardware interface to one or more serial communication buses (such as CAN or Ethernet or RS-232′ or SPI).
Aptly, a Fail-Safe State on at least one communication bus means that no messages are sent by the first processor and/or the second processor on that bus.
Aptly, the first output comprises one or more digital output pins on the first processor.
Aptly, the first output further comprises external interfacing hardware configured to adapt voltages in the computer system environment to meet voltage requirements of the digital output pins.
Aptly, a Fail-Safe State on at least one of the digital output pins of the first output is a 0V output.
Aptly, the first output comprises at least one analogue output pin on the first processor.
Aptly, the first output further comprises external interfacing hardware configured to adapt voltages in the computer system environment to meet voltage requirements of the analogue output pins and provide any necessary filtering of output signals.
Aptly, a Fail-Safe State on at least one analogue output pin of the first output is a 0V output.
Aptly, the second output comprises one or more digital output pins on the second processor.
Aptly, the second output further comprises external interfacing hardware configured to adapt voltages in the computer system environment to meet voltage requirements of the digital output pins.
Aptly, a Fail-Safe State on at least one of the digital output pins of the second output is a 0V output.
Aptly, the second output comprises at least one analogue output pin on the second processor.
Aptly, the second output further comprises external interfacing hardware configured to adapt voltages in the computer system environment to meet voltage requirements of the analogue output pins and provide any necessary filtering of output signals.
Aptly, a Fail-Safe State on at least one analogue output pin of the second output is a 0V output.
Aptly, the computer system further comprises:
Aptly, the first control element ensures that safety-related outputs from the first output and/or second output are held in a safe state if the first processor determines that the first processor and/or the second processor is not operating correctly.
Aptly, the computer system further comprises:
Aptly, the second control element ensures that safety-related outputs from the first output and/or second output are held in a safe state if the second processor determines that the first processor and/or the second processor is not operating correctly.
Aptly, the second control element is adapted to be set to a Fail-Safe-State if the second processor determines that the first processor has failed at least one said first POST.
Aptly, the second control element is adapted to be set to a Fail-Safe-State if the second processor determines that the first processor has failed at least one said first BIST.
Aptly, the first control element comprises one or more digital switches that provide a means of disabling one or more digital output pins on the first processor and/or the second processor.
Aptly, a Fail-Safe State on at least one of the digital output pins on the first processor and/or second processor is a 0V output.
Aptly, the first control element comprises one or more analogue switches that provide a means of disabling one or more analogue output pins on the first processor and/or the second processor.
Aptly, a Fail-Safe State on at least one of the analogue output pins on the first processor and/or second processor is a 0V output.
Aptly, the first control element comprises one or more digital switches that provide a means of disabling transceivers that provide a link to one or more serial communication buses (such as CAN or Ethernet or RS-232′ or SPI). This allows the first processor to prevent the first processor and/or the second processor from sending any messages on that communication bus when the first control element is in a Fail-Safe State.
Aptly, the second control element comprises one or more digital switches that provide a means of disabling one or more digital output pins on the first processor and/or the second processor.
Aptly, a Fail-Safe State on at least one of the digital output pins on the first processor and/or the second processor is a 0V output.
Aptly, the second control element comprises one or more analogue switches that provide a means of disabling one or more analogue output pins on the first processor and/or the second processor.
Aptly, a Fail-Safe State on at least one of the analogue output pins on the first processor and/or the second processor is a 0V output.
Aptly, the second control element comprises one or more digital switches that provide a means of disabling transceivers that provide a link to one or more serial communication buses (such as CAN or Ethernet or RS-232′ or SPI). This allows the second processor to prevent the first processor and/or the second processor from sending any messages on that communication bus when the first control element is in a Fail-Safe State.
Aptly, the computer system further comprises:
Aptly, the system output logic element comprises an OR logic operation for combining digital outputs from the first output and the second output.
Aptly, the system output logic element comprises an XOR logic operation for combining digital outputs from the first output and the second output.
Aptly, the system output logic element comprises one or more analogue switches that provide a means of combining analogue outputs from the first output and the second output. This ensures that only the first processor or the second processor (and not both) generates analogue outputs at any given time.
Aptly, the system output logic element comprises one or more digital switches that provide a means of disabling transceivers that provide a link to one or more serial communication buses (such as CAN or Ethernet or RS-232′ or SPI). This ensures that only the first processor or the second processor (and not both) can send messages on said communication buses at any time.
Aptly, at least one output from the system output logic element is adapted to be set to a Fail-Safe-State if the first processor determines that the second processor has failed at least one said second POST and that the second processor has failed to enter a Fail-Safe State after failing said second POST.
Aptly, at least one output from the system output logic element is adapted to be set to a Fail-Safe-State if the first processor determines that the second processor has failed at least one second BIST and that the second processor has failed to enter a Fail-Safe State after failing said second BIST.
Aptly, at least one output from the system output logic element is adapted to be set to a Fail-Safe-State if the second processor determines that the first processor has failed at least one said first POST and that the first processor has failed to enter a Fail-Safe State after failing said first POST.
Aptly, at least one output from the system output logic element is adapted to be set to a Fail-Safe-State if the second processor determines that the first processor has failed at least one said first BIST and that the first processor has failed to enter a Fail-Safe State after failing said first BIST.
Aptly, a Fail-Safe State on at least one digital output pin of system output logic element comprises a 0V output.
Aptly, a Fail-Safe State on at least one analogue output pin of system output logic element comprises a 0V output.
Aptly, a Fail-Safe State on at least one serial communication bus (such as CAN or Ethernet or RS-232′ or SPI) that form part of the system output logic element comprises a state in which neither the first processor nor the second processor can send any messages on said communication bus.
Aptly, the computer system further comprises:
Aptly, the computer system further comprises:
Aptly, the system output comprises one or more digital output pins.
Aptly, the system output further comprises external interfacing hardware configured to adapt voltages in the computer system environment to meet voltage requirements of the digital output pins.
Aptly, a Fail-Safe State on at least one of the digital output pins of system output comprises a 0V output.
Aptly, the system output comprises one or more analogue output pins.
Aptly, the system output further comprises external interfacing hardware configured to adapt voltages in the computer system environment to meet voltage requirements of the analogue output pins and provide any necessary filtering of output signals.
Aptly, a Fail-Safe State on at least one of the analogue output pins of system output comprises a 0V output.
Aptly, the system output comprises a software and hardware interface to one or more serial communication buses (such as CAN or Ethernet or RS-232′ or SPI).
Aptly, a Fail-Safe State on at least one communication bus means that no messages are sent by the computer system on the respective bus.
Aptly, the computer system further comprises:
Aptly, the computer system further comprises:
Aptly, the first monitor element comprises one or more digital input pins on the first processor.
Aptly, the first monitor element is connected to one or more digital output pins of the first output and/or the second output and/or the system output and/or the first control element and/or the second control element.
Aptly, the first monitor element further comprises external interfacing hardware configured to adapt voltages in the computer system environment to meet voltage requirements of the digital input pins on the first processor.
Aptly, the first monitor element comprises one or more analogue input pins on the first processor.
Aptly, the first monitor element is connected to one or more analogue output pins of the first output and/or the second output and/or the system output and/or the first control element and/or the second control element.
Aptly, the first monitor element further comprises external interfacing hardware configured to adapt voltages in the computer system environment to meet voltage requirements of the analogue input pins on the first processor.
Aptly, the first monitor element comprises a software and hardware interface to one or more communication buses (such as CAN or Ethernet or ‘RS-232’ or SPI) that are connected to the first processor and/or second processor in a manner that allows the first processor to monitor any communications on the one or more communication buses.
Aptly, the second monitor element comprises one or more digital input pins on the second processor.
Aptly, the second monitor element is connected to one or more digital output pins of the first output and/or the second output and/or the system output and/or the first control element and/or the second control element.
Aptly, the second monitor element further comprises external interfacing hardware configured to adapt voltages in the computer system environment to meet voltage requirements of the digital input pins on the second processor.
Aptly, the second monitor element comprises one or more analogue input pins on the second processor.
Aptly, the second monitor element further comprises external interfacing hardware configured to adapt voltages in the computer system environment to meet voltage requirements of the analogue input pins on the second processor.
Aptly, the second monitor element comprises a software and hardware interface to one or more communication buses (such as CAN or Ethernet or ‘RS-232’ or SPI) that are connected to the first processor and/or second processor in a manner that allows the second processor to monitor any communications on the one or more communication buses.
Aptly, the first processor is further adapted to:
Aptly, the second processor is further adapted to:
Aptly, a sequence of first POSTs performed on the first processor is pre-determined.
Aptly, the second processor is adapted to:
Aptly, a time interval between respective first POSTs that are performed on the first processor is pre-determined.
Aptly, the second processor is adapted to:
Aptly, a sequence of second POSTs performed on the second processor is pre-determined.
Aptly, the first processor is adapted to:
Aptly, a time interval between respective second POSTs that are performed on the second processor is pre-determined.
Aptly, the first processor is adapted to:
Aptly, a sequence of first BISTs performed on the first processor is pre-determined.
Aptly, the second processor is adapted to:
Aptly, the predetermined sequence of first BISTs performed on the first processor is the same in each operating mode of the first processor.
Aptly, a time interval between respective first BISTs performed on the first processor is pre-determined.
Aptly, the second processor is adapted to:
Aptly, the predetermined time interval between respective first BISTs performed on the first processor is the same in each operating mode of the first processor.
Aptly, a sequence of second BISTs performed on the second processor is pre-determined.
Aptly, the first processor is adapted to:
Aptly, the predetermined sequence of second BISTs performed on the second processor is the same in each operating mode of the second processor.
Aptly, a time interval between respective second BISTs performed on the second processor is pre-determined.
Aptly, the first processor is adapted to:
Aptly, the predetermined time interval between respective second BISTs performed on the second processor is the same in each operating mode of the second processor.
Aptly, the first processor and/or the second processor comprises a time-triggered scheduler.
Aptly, the first processor and/or the second processor comprises a time triggered cooperative (TTC) scheduler or a time triggered hybrid (TTH) scheduler.
Aptly, the computer system is arranged to monitor the operation of the first processor by means of the second processor.
Aptly, the computer system is arranged to monitor the operation of the second processor by means of the first processor.
Aptly, the first processor and the second processor are the same type of processor.
Aptly, the first processor and the second processor are processors of a different type.
Aptly, different types of processor for the first processor and the second processor are used in designs that are classed as ‘Safety Integrity Level’ (SIL) 3 or 4.
Aptly, the first processor and the second processor comprises one or more “soft” or “hard” processor cores (that execute some software) and/or one or more hardware cores (that do not execute any software).
Aptly, the first processor and/or the second processor comprises one or more processor chips, such as a commercial-off-the-shelf (COTS) microcontroller or microprocessor, Digital Signal Processor (DSP), Field-Programmable Gate Array (FPGA), Application Specific Integrated Circuit (ASIC) or similar devices.
Aptly, the first processor and/or the second processor comprises one or more processor cores on one or more commercial-off-the-shelf (COTS) microcontrollers or microprocessors, Digital Signal Processors (DSP), Field-Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs) or similar devices.
Aptly, the first processor is further adapted to:
Aptly, the first monitoring process is a Task Execution Time Monitoring Mechanism (TETMM) or is a mechanism for checking the task execution sequence (as documented in Reference 2), or is a mechanism for checking the operation of analogue-to-digital converters, or is a mechanism for checking the clock frequency of the first processor, or is a mechanism for performing checks on the ability of the first processor to execute its defined instruction set, or is a mechanism for checking duplicated variables (as defined in Reference 2) that are employed in the first processor, or is a mechanism for checking the operating voltage of the first processor, or is a mechanism for checking the operating temperature of the first processor, or is a mechanism for checking the operation of one or more external watchdog controllers (see Reference 2) that are connected to the first processor, or is a mechanism for checking the operation of the interrupts on the first processor, or is a mechanism for checking the operation of a watchdog timer that is incorporated in the first processor or is external to the first processor, or is a mechanism for checking the memory in the first processor, or is a mechanism for checking for corruption in the registers in the first processor, or is a mechanism for checking for corruption in the software configuration in the first processor, or is a mechanism for checking for corruption in the stack in the first processor, or is a mechanism for performing timeout checks during the operation of the first processor (as defined in Reference 2).
Aptly, the first processor is further adapted to:
Aptly, the first processor is further adapted to:
Aptly, the first processor is further adapted to:
Aptly, the first predetermined time period is the Process Safety Time or Fault Tolerant Time Interval.
Aptly, the first predetermined time period is equal to or less than 100 ms.
Aptly, the first predetermined time period is equal to or less than 90 ms, optionally 80 ms, optionally 70 ms, optionally 60 ms, optionally 50 ms, optionally 40 ms, optionally 30 ms, optionally 20 ms, optionally 10 ms.
Aptly, the second processor is further adapted to:
Aptly, the second monitoring process is a Task Execution Time Monitoring Mechanism (TETMM) or is a mechanism for checking the task execution sequence (as documented in Reference 2), or is a mechanism for checking the operation of analogue-to-digital converters, or is a mechanism for checking the clock frequency of the second processor, or is a mechanism for performing checks on the ability of the second processor to execute its defined instruction set, or is a mechanism for checking duplicated variables (as defined in Reference 2) that are employed in the second processor, or is a mechanism for checking the operating voltage of the second processor, or is a mechanism for checking the operating temperature of the second processor, or is a mechanism for checking the operation of one or more external watchdog controllers (see Reference 2) that are connected to the second processor, or is a mechanism for checking the operation of the interrupts on the second processor, or is a mechanism for checking the operation of a watchdog timer that is incorporated in the second processor or is external to the second processor, or is a mechanism for checking the memory in the second processor, or is a mechanism for checking for corruption in the registers in the second processor, or is a mechanism for checking for corruption in the software configuration in the second processor, or is a mechanism for checking for corruption in the stack in the second processor, or is a mechanism for performing timeout checks during the operation of the second processor (as defined in Reference 2).
Aptly, the second processor is further adapted to:
Aptly, the second processor is further adapted to:
Aptly, the second processor is further adapted to:
Aptly, the second predetermined time period is the Process Safety Time or Fault Tolerant Time Interval.
Aptly, the second predetermined time period is equal to or less than 100 ms.
Aptly, the second predetermined time period is equal to or less than 90 ms, optionally 80 ms, optionally 70 ms, optionally 60 ms, optionally 50 ms, optionally 40 ms, optionally 30 ms, optionally 20 ms, optionally 10 ms.
According to a second aspect of the present invention there is provided a computer-implemented method for determining if at least one Power-On Self-Test and/or Built-in Self-Test has passed or failed, comprising the steps of:
Aptly, the method further comprises:
Aptly, the method further comprises:
Aptly, the method further comprises:
Aptly, the method further comprises, in each predetermined system mode:
Aptly, the method further comprises, in each predetermined system mode:
Aptly, the method further comprises:
Aptly, the method further comprises, in each predetermined system mode:
Aptly, the method further comprises, in each predetermined system mode:
Aptly, the method further comprises:
Aptly, the method further comprises:
Aptly, the method further comprises:
Aptly, the first monitoring process is a Task Execution Time Monitoring Mechanism (TETMM) or is a mechanism for checking the task execution sequence (as documented in Reference 2), or is a mechanism for checking the operation of analogue-to-digital converters, or is a mechanism for checking the clock frequency of the first processor, or is a mechanism for performing checks on the ability of the first processor to execute its defined instruction set, or is a mechanism for checking duplicated variables (as defined in Reference 2) that are employed in the first processor, or is a mechanism for checking the operating voltage of the first processor, or is a mechanism for checking the operating temperature of the first processor, or is a mechanism for checking the operation of one or more external watchdog controllers (see Reference 2) that are connected to the first processor, or is a mechanism for checking the operation of the interrupts on the first processor, or is a mechanism for checking the operation of a watchdog timer that is incorporated in the first processor or is external to the first processor, or is a mechanism for checking the memory in the first processor, or is a mechanism for checking for corruption in the registers in the first processor, or is a mechanism for checking for corruption in the software configuration in the first processor, or is a mechanism for checking for corruption in the stack in the first processor, or is a mechanism for performing timeout checks during the operation of the first processor (as defined in Reference 2).
Aptly, the method further comprises:
Aptly, the method further comprises:
Aptly, the method further comprises:
Aptly, the first predetermined time period is the Process Safety Time or Fault Tolerant Time Interval.
Aptly, the first predetermined time period is equal to or less than 100 ms.
Aptly, the first predetermined time period is equal to or less than 90 ms, optionally 80 ms, optionally 70 ms, optionally 60 ms, optionally 50 ms, optionally 40 ms, optionally 30 ms, optionally 20 ms, optionally 10 ms.
Aptly, the method further comprises:
Aptly, the second monitoring process is a Task Execution Time Monitoring Mechanism (TETMM) or is a mechanism for checking the task execution sequence (as documented in Reference 2), or is a mechanism for checking the operation of analogue-to-digital converters, or is a mechanism for checking the clock frequency of the second processor, or is a mechanism for performing checks on the ability of the second processor to execute its defined instruction set, or is a mechanism for checking duplicated variables (as defined in Reference 2) that are employed in the second processor, or is a mechanism for checking the operating voltage of the second processor, or is a mechanism for checking the operating temperature of the second processor, or is a mechanism for checking the operation of one or more external watchdog controllers (see Reference 2) that are connected to the second processor, or is a mechanism for checking the operation of the interrupts on the second processor, or is a mechanism for checking the operation of a watchdog timer that is incorporated in the second processor or is external to the second processor, or is a mechanism for checking the memory in the second processor, or is a mechanism for checking for corruption in the registers in the second processor, or is a mechanism for checking for corruption in the software configuration in the second processor, or is a mechanism for checking for corruption in the stack in the second processor, or is a mechanism for performing timeout checks during the operation of the second processor (as defined in Reference 2).
Aptly, the method further comprises:
Aptly, the method further comprises:
Aptly, the method further comprises:
Aptly, the second predetermined time period is the Process Safety Time or Fault Tolerant Time Interval.
Aptly, the second predetermined time period is equal to or less than 100 ms.
Aptly, the second predetermined time period is equal to or less than 90 ms, optionally 80 ms, optionally 70 ms, optionally 60 ms, optionally 50 ms, optionally 40 ms, optionally 30 ms, optionally 20 ms, optionally 10 ms.
According to a third aspect of the present invention there is provided a computer program comprising instructions which, when executed by a computer, cause the computer to carry out the steps of the method according to the second aspect of the present invention.
According to a fourth aspect of the present invention there is provided a time-triggered computer system comprising:
Aptly, the Processor-A comprises one or more “soft” or “hard” processor cores (that execute some software) and/or one or more hardware cores (that do not execute any software).
Aptly, the Processor-A comprises one or more processor cores on one or more commercial-off-the-shelf (COTS) microcontrollers or microprocessors, Digital Signal Processors (DSP), Field-Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs) or similar devices.
Aptly, the Processor-A comprises a time-triggered scheduler.
Aptly, Processor-A comprises a time triggered cooperative (TTC) scheduler or a time triggered hybrid (TTH) scheduler.
Aptly, the Processor-M monitors the operation of Processor-A.
Aptly, the Processor-M comprises one or more “soft” or “hard” processor cores (that execute some software) and/or one or more hardware cores (that do not execute any software).
Aptly, the Processor-M comprises one or more processor chips, such as a commercial-off-the-shelf (COTS) microcontroller or microprocessor, Digital Signal Processor (DSP), Field-Programmable Gate Array (FPGA), Application Specific Integrated Circuit (ASIC) or similar devices.
Aptly, the Processor-M comprises one or more processor cores on one or more commercial-off-the-shelf (COTS) microcontrollers or microprocessors, Digital Signal Processors (DSP), Field-Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs) or similar devices.
Aptly, the Processor-M comprises a time-triggered scheduler.
Aptly, Processor-M comprises a time triggered cooperative (TTC) scheduler or a time triggered hybrid (TTH) scheduler.
Aptly, the Processor-M checks the results of ePOSTs and eBISTs that are performed on Processor-A while Processor-A checks the results of ePOSTs and eBISTs that are performed on Processor-M.
Aptly, the Processor-A performs ePOSTs (that may involve a processor reset) and reports data from each ePOST to the Processor-M by means of the ePOST-Data-A messages that are sent over a Communication Channel; and Processor-M then compares the contents of each ePOST-Data-A message with the expected results of the corresponding ePOST; by means of this comparison, Processor-M determines whether the ePOST performed on Processor-A has passed or has failed.
Aptly, the Processor-A will perform eBISTs during its normal operation that do not require processor resets and will report data from each eBIST to Processor-M by means of eBIST-Data-A messages that are sent over a Communication Channel; Processor-M will then compare the contents of each eBIST-Data-A message with the expected results of the corresponding eBIST; by means of this comparison, Processor-M will determine whether the eBIST performed on Processor-A has passed or has failed.
Aptly, the Processor-A performs one or more eBISTs that include performing a processor reset.
Aptly, the Processor-M will perform ePOSTs (that may involve a processor reset) and will report data from each ePOST to Processor-A by means of ePOST-Data-M messages that are sent over a Communication Channel;
Processor-A will then compare the contents of each ePOST-Data-M message with the expected results of the corresponding ePOST; by means of this comparison, Processor-A will determine whether the ePOST performed on Processor-M has passed or has failed.
Aptly, the Processor-M will perform eBISTs during its normal operation that do not require processor resets and will report data from each eBIST to Processor-A by means of eBIST-Data-M messages that are sent over a Communication Channel; Processor-A will then compare the contents of each eBIST-Data-M message with the expected results of the corresponding eBIST; by means of this comparison, Processor-A will determine whether the eBIST performed on Processor-M has passed or has failed.
Aptly, the Processor-M performs one or more eBISTs that include performing a processor reset.
Aptly, the computer system is arranged to have a Communication Channel that is adapted to support the transmission of ePOST-Data-A messages and eBIST-Data-A messages between Processor-A and Processor-M, and to support the transmission of ePOST-Data-M messages and eBIST-Data-M messages between Processor-M and Processor-A.
Aptly, the Communication Channel is used to synchronise the activities on Processor-A and Processor-M using a form of Shared-Clock Scheduler.
Aptly, data transfers between Processor-A and Processor-M are supported by means of Tick Messages sent from Processor-A to Processor-M.
Aptly, data transfers between Processor-M and Processor-A will be supported by means of Ack Messages sent from Processor-M to Processor-A.
Aptly, the Communication Channel comprises a standard serial protocol that is suitable for short-distance communication, such as ‘RS-232’ or SPI.
Aptly, the computer system is arranged to have an Input-A that is adapted to enable Processor-A to acquire data for any tasks that execute on Processor-A.
Aptly, the Input-A comprises one or more digital input pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the digital input pins.
Aptly, the Input-A comprises one or more analogue input pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the analogue input pins and provide any necessary filtering of input signals.
Aptly, the Input-A comprises a software and hardware interface to one or more serial communication buses (such as CAN or Ethernet or RS-232′ or SPI).
Aptly, the Output-A is adapted to enable Processor-A to generate any safety-related outputs from the computer system that have been determined by Processor-A if—by means of tasks, ePOSTs, eBISTs and Monitor-A—Processor-A determines that it is operating correctly and if—by means of tasks and eBIST-Data-M messages—Processor-A determines that Processor-M is also operating correctly.
Aptly, the Output-A is set to a Fail-Safe-State if Processor-A determines—by means of ePOST-Data-M messages—that Processor-M has failed an ePOST.
Aptly, the Output-A is set to a Fail-Safe-State if Processor-A determines—by means of eBIST-Data-M messages—that Processor-M has failed an eBIST.
Aptly, the Output-A comprises one or more digital output pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the digital output pins.
Aptly, a Fail-Safe State on any digital output pins will be a 0V output.
Aptly, the Output-A comprises an analogue output pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the analogue output pins and provide any necessary filtering of output signals. Aptly, a Fail-Safe State on any analogue output pins will be a 0V output.
Aptly, the Output-A comprises a software and hardware interface to one or more serial communication buses (such as CAN or Ethernet or RS-232′ or SPI).
Aptly, a Fail-Safe State on any communication buses will mean that no messages are sent by Processor-A on the bus concerned.
Aptly, the Monitor-A is adapted to enable Processor-A to determine whether Output-A is in its required state.
Aptly, the Monitor-A comprises one or more digital input pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages from one or more digital output pins on Output-A to meet the voltage requirements of the digital input pins on Processor-A.
Aptly, the Monitor-A comprises one or more analogue input pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages from one or more analogue output pins on Output-A to meet the voltage requirements of the analogue input pins on Processor-A.
Aptly, the Monitor-A comprises a software and hardware interface to one or more communication buses (such as CAN or Ethernet or ‘RS-232’ or SPI) that are connected to Processor-A in a manner that allows Processor-A to monitor any communications on the one or more communication buses. Aptly, Control-M is adapted to ensure that any and all safety-related outputs from the computer system are held in a safe state if—by means of eBIST-Data-A messages—Processor-M determines that Processor-A may not be operating correctly, or if—by means of ePOSTs or eBISTs or Monitor-M—Processor-M determines that it may not be operating correctly.
Aptly, the Control-M is set to a Fail-Safe-State if Processor-M determines—by means of ePOST-Data-A messages—that Processor-A has failed an ePOST.
Aptly, the Control-M is set to a Fail-Safe-State if Processor-M determines—by means of eBIST-Data-A messages—that Processor-A has failed an eBIST.
Aptly, the Control-M comprises one or more digital switches that provide a means of disabling one or more digital output pins on Processor-A.
Aptly, a Fail-Safe State on any digital output pins will be a 0V output.
Aptly, the Control-M comprises one or more analogue switches that provide a means of disabling one or more analogue output pins on Processor-A.
Aptly, a Fail-Safe State on any analogue output pins will be a 0V output.
Aptly, the Control-M comprises one or more digital switches that provide a means of disabling transceivers that provide a link to one or more serial communication buses (such as CAN or Ethernet or RS-232′ or SPI), thereby allowing Processor-M to prevent Processor-A from sending any messages on said communication buses when Control-M is in a Fail-Safe State.
Aptly, the Monitor-M is adapted to determine whether Control-M is in its required state.
Aptly, the Monitor-M comprises one or more digital input pins on Processor-M plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the digital input pins on Processor-M.
Aptly, the Monitor-M comprises one or more analogue input pins on Processor-M plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the analogue input pins and provide any necessary filtering of input signals.
Aptly, the Monitor-M comprises a software and hardware interface to one or more communication buses (such as CAN or Ethernet or ‘RS-232’ or SPI) that are connected to Processor-A in a manner that allows Processor-M to monitor any communications on the one or more communication buses.
According to a fifth aspect of the present invention there is provided a time-triggered computer system comprising:
Aptly, the Processor-A comprises one or more “soft” or “hard” processor cores (that execute some software) and/or one or more hardware cores (that do not execute any software).
Aptly, the Processor-A comprises one or more processor cores on one or more commercial-off-the-shelf (COTS) microcontrollers or microprocessors, Digital Signal Processors (DSP), Field-Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs) or similar devices.
Aptly, the Processor-A comprises a time-triggered scheduler.
Aptly, Processor-A comprises a time triggered cooperative (TTC) scheduler or a time triggered hybrid (TTH) scheduler.
Aptly, the Processor-B comprises one or more “soft” or “hard” processor cores (that execute some software) and/or one or more hardware cores (that do not execute any software).
Aptly, the Processor-B comprises one or more processor chips, such as a commercial-off-the-shelf (COTS) microcontroller or microprocessor, Digital
Signal Processor (DSP), Field-Programmable Gate Array (FPGA), Application Specific Integrated Circuit (ASIC) or similar devices.
Aptly, the Processor-B comprises one or more processor cores on one or more commercial-off-the-shelf (COTS) microcontrollers or microprocessors,
Digital Signal Processors (DSP), Field-Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs) or similar devices.
Aptly, the Processor-B comprises a time-triggered scheduler.
Aptly, Processor-B comprises a time triggered cooperative (TTC) scheduler or a time triggered hybrid (TTH) scheduler.
Aptly, the Processor-B checks the results of ePOSTs and eBISTs that are performed on Processor-A while Processor-A checks the results of ePOSTs and eBISTs that are performed on Processor-B.
Aptly, the Processor-A performs ePOSTs (that may involve a processor reset) and reports data from each ePOST to the Processor-B by means of the ePOST-Data-A messages that are sent over a Communication Channel; and Processor-B then compares the contents of each ePOST-Data-A message with the expected results of the corresponding ePOST; by means of this comparison, Processor-B determines whether the ePOST performed on Processor-A has passed or has failed.
Aptly, the Processor-A will perform eBISTs during its normal operation that do not require processor resets and will report data from each eBIST to Processor-B by means of eBIST-Data-A messages that are sent over a Communication Channel; Processor-B will then compare the contents of each eBIST-Data-A message with the expected results of the corresponding eBIST; by means of this comparison, Processor-B will determine whether the eBIST performed on Processor-A has passed or has failed.
Aptly, the Processor-A performs one or more eBISTs that include performing a processor reset.
Aptly, the Processor-B will perform ePOSTs (that may involve a processor reset) and will report data from each ePOST to Processor-A by means of ePOST-Data-B messages that are sent over a Communication Channel; Processor-A will then compare the contents of each ePOST-Data-B message with the expected results of the corresponding ePOST; by means of this comparison, Processor-A will determine whether the ePOST performed on Processor-B has passed or has failed.
Aptly, the Processor-B will perform eBISTs during its normal operation that do not require processor resets and will report data from each eBIST to Processor-A by means of eBIST-Data-B messages that are sent over a Communication Channel; Processor-A will then compare the contents of each eBIST-Data-B message with the expected results of the corresponding eBIST; by means of this comparison, Processor-A will determine whether the eBIST performed on Processor-B has passed or has failed.
Aptly, the Processor-B performs one or more eBISTs that include performing a processor reset.
Aptly, the computer system is arranged to have a Communication Channel that is adapted to support the transmission of ePOST-Data-A messages and eBIST-Data-A messages between Processor-A and Processor-B, and to support the transmission of ePOST-Data-B messages and eBIST-Data-B messages between Processor-B and Processor-A.
Aptly, the Communication Channel is used to synchronise the activities on Processor-A and Processor-B using a form of Shared-Clock Scheduler.
Aptly, data transfers between Processor-A and Processor-B are supported by means of Tick Messages sent from Processor-A to Processor-B.
Aptly, data transfers between Processor-B and Processor-A will be supported by means of Ack Messages sent from Processor-B to Processor-A.
Aptly, the Communication Channel comprises a standard serial protocol that is suitable for short-distance communication, such as ‘RS-232’ or SPI.
Aptly, the Input-A is adapted to enable Processor-A to acquire data for any tasks that execute on Processor-A.
Aptly, the Input-A comprises one or more digital input pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the digital input pins.
Aptly, the Input-A comprises one or more analogue input pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the analogue input pins and provide any necessary filtering of input signals.
Aptly, the Input-A comprises a software and hardware interface to one or more serial communication buses (such as CAN or Ethernet or RS-232′ or SPI).
Aptly, the Output-A is adapted to enable Processor-A to generate any safety-related outputs from the computer system that have been determined by Processor-A if—by means of tasks, ePOSTs, eBISTs and Monitor-A—Processor-A determines that it is operating correctly and if—by means of tasks and eBIST-Data-B messages—Processor-A determines that Processor-B is also operating correctly.
Aptly, the Output-A will be set to a Fail-Safe-State if Processor-A determines
Aptly, the Output-A will be set to a Fail-Safe-State if Processor-A determines
Aptly, the Output-A comprises one or more digital output pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the digital output pins.
Aptly, a Fail-Safe State on any digital output pins will be a 0V output.
Aptly, the Output-A comprises an analogue output pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the analogue output pins and provide any necessary filtering of output signals.
Aptly, a Fail-Safe State on any analogue output pins will be a 0V output.
Aptly, the Output-A comprises a software and hardware interface to one or more serial communication buses (such as CAN or Ethernet or RS-232′ or SPI).
Aptly, a Fail-Safe State on any communication buses will mean that no messages are sent by Processor-A on the bus concerned.
Aptly, the Monitor-A is adapted to enable Processor-A to determine whether Output-A is in its required state.
Aptly, the Monitor-A is connected to one or more digital output pins on Output-A and comprises one or more digital input pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the digital input pins.
Aptly, the Monitor-A is connected to one or more analogue output pins on Output-A and comprises one or more analogue input pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the analogue input pins and provide any necessary filtering of input signals.
Aptly, the Monitor-A comprises a software and hardware interface to one or more communication buses (such as CAN or Ethernet or ‘RS-232’ or SPI) that are connected to Processor-A in a manner that allows Processor-A to monitor any communications on the one or more communication buses.
Aptly, the Control-B is adapted to ensure that any and all safety-related outputs from the computer system are held in a safe state if—by means of eBIST-Data-A messages—Processor-B determines that Processor-A may not be operating correctly, or if—by means of ePOSTs or eBISTs or Monitor-B—Processor-B determines that it may not be operating correctly.
Aptly, the Control-B is set to a Fail-Safe-State if Processor-B determines—by means of ePOST-Data-A messages—that Processor-A has failed an ePOST.
Aptly, the Control-B is set to a Fail-Safe-State if Processor-B determines—by means of eBIST-Data-A messages—that Processor-A has failed an eBIST.
Aptly, the Control-B comprises one or more digital switches that provide a means of disabling one or more digital output pins on Processor-A.
Aptly, a Fail-Safe State on any digital output pins will be a 0V output.
Aptly, the Control-B comprises one or more analogue switches that provide a means of disabling one or more analogue output pins on Processor-A.
Aptly, a Fail-Safe State on any analogue output pins will be a 0V output.
Aptly, the Control-B comprises one or more digital switches that provide a means of disabling transceivers that provide a link to one or more serial communication buses (such as CAN or Ethernet or RS-232′ or SPI), thereby allowing Processor-B to prevent Processor-A from sending any messages on said communication buses when Control-B is in a Fail-Safe State.
Aptly, the Monitor-B is adapted to enable Processor-B to determine whether Output-A is in its required state and whether Control-B is in its required state.
Aptly, the Monitor-B comprises one or more digital input pins on Processor-B plus any associated external interfacing hardware that may be required to adapt voltages from one or more digital output pins on Output-A and Control-B to meet the voltage requirements of the digital input pins on Processor-B.
Aptly, the Monitor-B comprises one or more analogue input pins on Processor-B plus any associated external interfacing hardware that may be required to adapt voltages from one or more analogue output pins on Output-A and Control-B to meet the voltage requirements of the analogue input pins on Processor-B and provide any necessary filtering of input signals.
Aptly, the Monitor-B comprises a software and hardware interface to one or more communication buses (such as CAN or Ethernet or ‘RS-232’ or SPI) that are connected to Processor-A or Processor-B in a manner that allows Processor-B to monitor any communications on the one or more communication buses.
Aptly, the Input-B is adapted to enable Processor-B to acquire data for any tasks that execute on Processor-B.
Aptly, the Input-B comprises one or more digital input pins on Processor-B plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the digital input pins.
Aptly, the Input-B comprises one or more analogue input pins on Processor-B plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the analogue input pins and provide any necessary filtering of input signals.
Aptly, the Input-B comprises a software and hardware interface to one or more serial communication buses (such as CAN or Ethernet or RS-232′ or SPI).
According to a sixth aspect of the present invention there is provided a time-triggered computer system comprising:
Aptly, the Processor-A comprises one or more “soft” or “hard” processor cores (that execute some software) and/or one or more hardware cores (that do not execute any software).
Aptly, the Processor-A comprises one or more processor cores on one or more commercial-off-the-shelf (COTS) microcontrollers or microprocessors, Digital Signal Processors (DSP), Field-Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs) or similar devices.
Aptly, the Processor-A comprises a time-triggered scheduler. Aptly, Processor-A comprises a time triggered cooperative (TTC) scheduler or a time triggered hybrid (TTH) scheduler.
Aptly, the Processor-B comprises one or more “soft” or “hard” processor cores (that execute some software) and/or one or more hardware cores (that do not execute any software).
Aptly, the Processor-B comprises one or more processor chips, such as a commercial-off-the-shelf (COTS) microcontroller or microprocessor, Digital Signal Processor (DSP), Field-Programmable Gate Array (FPGA), Application Specific Integrated Circuit (ASIC) or similar devices.
Aptly, the Processor-B comprises one or more processor cores on one or more commercial-off-the-shelf (COTS) microcontrollers or microprocessors, Digital Signal Processors (DSP), Field-Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs) or similar devices.
Aptly, the Processor-B comprises a time-triggered scheduler.
Aptly, Processor-B comprises a time triggered cooperative (TTC) scheduler or a time triggered hybrid (TTH) scheduler.
Aptly, the Processor-B checks the results of ePOSTs and eBISTs that are performed on Processor-A while Processor-A checks the results of ePOSTs and eBISTs that are performed on Processor-B.
Aptly, the Processor-A performs ePOSTs (that may involve a processor reset) and reports data from each ePOST to the Processor-B by means of the ePOST-Data-A messages that are sent over a Communication Channel; and Processor-B then compares the contents of each ePOST-Data-A message with the expected results of the corresponding ePOST; by means of this comparison, Processor-B determines whether the ePOST performed on Processor-A has passed or has failed.
Aptly, the Processor-A will perform eBISTs during its normal operation that do not require processor resets and will report data from each eBIST to Processor-B by means of eBIST-Data-A messages that are sent over a Communication Channel; Processor-B will then compare the contents of each eBIST-Data-A message with the expected results of the corresponding eBIST; by means of this comparison, Processor-B will determine whether the eBIST performed on Processor-A has passed or has failed.
Aptly, the Processor-A performs one or more eBISTs that include performing a processor reset.
Aptly, the Processor-B will perform ePOSTs (that may involve a processor reset) and will report data from each ePOST to Processor-A by means of ePOST-Data-B messages that are sent over a Communication Channel; Processor-A will then compare the contents of each ePOST-Data-B message with the expected results of the corresponding ePOST; by means of this comparison, Processor-A will determine whether the ePOST performed on Processor-B has passed or has failed.
Aptly, the Processor-B will perform eBISTs during its normal operation that do not require processor resets and will report data from each eBIST to Processor-A by means of eBIST-Data-B messages that are sent over a Communication Channel; Processor-A will then compare the contents of each eBIST-Data-B message with the expected results of the corresponding eBIST; by means of this comparison, Processor-A will determine whether the eBIST performed on Processor-B has passed or has failed.
Aptly, the Processor-B performs one or more eBISTs that include performing a processor reset.
Aptly, the computer system is arranged to have a Communication Channel that is adapted to support the transmission of ePOST-Data-A messages and eBIST-Data-A messages between Processor-A and Processor-B, and to support the transmission of ePOST-Data-B messages and eBIST-Data-B messages between Processor-B and Processor-A.
Aptly, the Communication Channel is used to synchronise the activities on Processor-A and Processor-B using a form of Shared-Clock Scheduler.
Aptly, data transfers between Processor-A and Processor-B are supported by means of Tick Messages sent from Processor-A to Processor-B.
Aptly, data transfers between Processor-B and Processor-A will be supported by means of Ack Messages sent from Processor-B to Processor-A.
Aptly, the Communication Channel comprises a standard serial protocol that is suitable for short-distance communication, such as ‘RS-232’ or SPI.
Aptly, the Input-A is adapted to enable Processor-A to acquire data for any tasks that execute on Processor-A.
Aptly, the Input-A comprises one or more digital input pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the digital input pins.
Aptly, the Input-A comprises one or more analogue input pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the analogue input pins and provide any necessary filtering of input signals.
Aptly, the Input-A comprises a software and hardware interface to one or more serial communication buses (such as CAN or Ethernet or RS-232′ or SPI).
Aptly, the Output-A is adapted to enable Processor-A to generate any safety-related outputs from the computer system that have been determined by Processor-A if—by means of tasks, self tests and Monitor-A—Processor-A determines that it is operating correctly.
Aptly, the Output-A comprises one or more digital output pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the digital output pins.
Aptly, a Fail-Safe State on any digital output pins on Output-A will comprise a 0V output.
Aptly, the Output-A comprises an analogue output pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the analogue output pins and provide any necessary filtering of output signals.
Aptly, a Fail-Safe State on any analogue output pins on Output-A will comprise a 0V output.
Aptly, the Output-A comprises a software and hardware interface to one or more serial communication buses (such as CAN or Ethernet or RS-232′ or SPI).
Aptly, a Fail-Safe State on any communication buses will mean that no messages are sent by Processor-A on the bus concerned.
Aptly, the Output-B is adapted to enable Processor-B to generate any safety-related outputs from the computer system that have been determined by Processor-B if—by means of tasks, self tests and Monitor-B—Processor-B determines that it is operating correctly and if—by means of tasks and eBIST-Data-A messages—Processor-B determines that Processor-A is not operating correctly.
Aptly, the Output-B comprises one or more digital output pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the digital output pins.
Aptly, the Fail-Safe State on any digital output pins on Output-B will comprise a 0V output.
Aptly, the Output-B comprises an analogue output pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the analogue output pins and provide any necessary filtering of output signals.
Aptly, a Fail-Safe State on any analogue output pins on Output-B will comprise a 0V output.
Aptly, the Output-B comprises a software and hardware interface to one or more serial communication buses (such as CAN or Ethernet or RS-232′ or SPI).
Aptly, a Fail-Safe State on any communication buses will mean that no messages are sent by Processor-A on the bus concerned.
Aptly, the Monitor-A is adapted to enable Processor-A to determine whether Output-A and Output-B and System-Output are in their required states.
Aptly, the Monitor-A comprises one or more digital input pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages from one or more digital output pins on Output-A, Output-B and System-Output to meet the voltage requirements of the digital input pins on Processor-A.
Aptly, the Monitor-A comprises one or more analogue input pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages from one or more analogue output pins on Output-A, Output-B and System-Output to meet the voltage requirements of the analogue input pins on Processor-A and provide any necessary filtering of input signals.
Aptly, the Monitor-A comprises a software and hardware interface to one or more communication buses (such as CAN or Ethernet or ‘RS-232’ or SPI) that are connected to Processor-A or Processor-B or System-Output in a manner that allows Processor-A to monitor any communications on the one or more communication buses.
Aptly, the Monitor-B is adapted to enable Processor-B to determine whether Output-A and Output-B and System-Output are in their required states.
Aptly, the Monitor-B comprises one or more digital input pins on Processor-B plus any associated external interfacing hardware that may be required to adapt voltages from one or more digital output pins on Output-A, Output-B and System-Output to meet the voltage requirements of the digital input pins on Processor-B.
Aptly, the Monitor-B comprises one or more analogue input pins on Processor-B plus any associated external interfacing hardware that may be required to adapt voltages from one or more analogue output pins on Output-A, Output-B and System-Output to meet the voltage requirements of the analogue input pins on Processor-B and provide any necessary filtering of input signals.
Aptly, the Monitor-B comprises a software and hardware interface to one or more communication buses (such as CAN or Ethernet or ‘RS-232’ or SPI) that are connected to Processor-A or Processor-B or System-Output in a manner that allows Processor-B to monitor any communications on the one or more communication buses.
Aptly, the Control-A is adapted to ensure that any and all safety-related outputs from Output-A are held in a Fail-Safe State if—by means of self tests or Monitor-A—Processor-A determines that it may not be operating correctly.
Aptly, the Control-A comprises one or more digital switches that provide a means of disabling one or more digital output pins on Processor-A.
Aptly, a Fail-Safe State on any digital output pins on Control-A will comprise a 0V output.
Aptly, the Control-A comprises one or more analogue switches that provide a means of disabling one or more analogue output pins on Processor-A.
Aptly, a Fail-Safe State on any analogue output pins on Control-A will comprise a 0V output.
Aptly, the Control-A comprises one or more digital switches that provide a means of disabling transceivers that provide a link to one or more serial communication buses (such as CAN or Ethernet or RS-232′ or SPI), thereby preventing Processor-A from sending any messages on said communication buses when Control-A is in a Fail-Safe State.
Aptly, the Control-B is adapted to ensure that any and all safety-related outputs from Output-A are held in a Fail-Safe State if—by means of self tests or Monitor-B—Processor-B determines that it may not be operating correctly.
Aptly, the Control-B comprises one or more digital switches that provide a means of disabling one or more digital output pins on Processor-B.
Aptly, the Fail-Safe State on any digital output pins on Control-B will comprise a 0V output.
Aptly, the Control-B comprises one or more analogue switches that provide a means of disabling one or more analogue output pins on Processor-B.
Aptly, a Fail-Safe State on any analogue output pins on Control-B will comprise a 0V output.
Aptly, the Control-B comprises one or more digital switches that provide a means of disabling transceivers that provide a link to one or more serial communication buses (such as CAN or Ethernet or RS-232′ or SPI), thereby preventing Processor-B from sending any messages on said communication buses when Control-B is in a Fail-Safe State.
Aptly, the System-Output-Logic is adapted to determine a single set of outputs from the system based on a combination of the outputs from Output-A and Output-B.
Aptly, the System-Output-Logic comprises an OR (logic) operation for combining any digital outputs from Output-A and Output-B.
Aptly, the System-Output-Logic comprises an XOR (logic) operation for combining any digital outputs from Output-A and Output-B.
Aptly, the System-Output-Logic comprises one or more analogue switches that provide a means of combining any analogue outputs from Output-A and Output-B, thereby ensuring that only Processor-A or Processor-B (and not both) can generate analogue outputs at any given time.
Aptly, the System-Output-Logic comprises one or more digital switches that provide a means of disabling transceivers that provide a link to one or more serial communication buses (such as CAN or Ethernet or RS-232′ or SPI), thereby ensuring that only Processor-A or Processor-B (and not both) can send messages on said communication buses at any time.
Aptly, all System-Output-Logic outputs will be set to a Fail-Safe-State if Processor-A determines—by means of ePOST-Data-B messages—that Processor-B has failed an ePOST and that Processor-B has failed to enter a Fail-Safe State after failing the ePOST.
Aptly, all System-Output-Logic outputs will be set to a Fail-Safe-State if Processor-A determines—by means of eBIST-Data-B messages—that Processor-B has failed an eBIST and that Processor-B has failed to enter a Fail-Safe State after failing the eBIST.
Aptly, all System-Output-Logic outputs will be set to a Fail-Safe-State if Processor-B determines—by means of ePOST-Data-A messages—that Processor-A has failed an ePOST and that Processor-A has failed to enter a Fail-Safe State after failing the ePOST.
Aptly, all System-Output-Logic outputs will be set to a Fail-Safe-State if Processor-B determines—by means of eBIST-Data-A messages—that Processor-A has failed an eBIST and that Processor-A has failed to enter a Fail-Safe State after failing the eBIST.
Aptly, a Fail-Safe State on any digital output pins on System-Output-Logic will comprise a 0V output.
Aptly, a Fail-Safe State on any analogue output pins on System-Output-Logic will comprise a 0V output.
Aptly, a Fail-Safe State on any serial communication buses (such as CAN or Ethernet or RS-232′ or SPI) that form part of the System-Output-Logic will comprise a state in which neither Processor-A nor Processor-B can send any messages on said communication buses.
Aptly, the System-Output adapted to generate a fail-operational output from the system based on the calculations performed by the System-Output-Logic.
Aptly, the System-Output comprises one or more digital output pins plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the digital output pins.
Aptly, a Fail-Safe State on any digital output pins on System-Output will comprise a 0V output.
Aptly, the System-Output comprises an analogue output pins plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the analogue output pins and provide any necessary filtering of output signals.
Aptly, a Fail-Safe State on any analogue output pins on System-Output will comprise a 0V output.
Aptly, the System-Output comprises a software and hardware interface to one or more serial communication buses (such as CAN or Ethernet or RS-232′ or SPI).
Aptly, a Fail-Safe State on any communication buses will mean that no messages are sent by the computer system on the bus concerned.
According to a seventh aspect of the present invention there is provided a time-triggered computer system comprising:
Aptly, the first processor core is further adapted to:
Aptly, the first monitoring process is a Task Execution Time Monitoring Mechanism (TETMM) or is a mechanism for checking the task execution sequence (as documented in Reference 2), or is a mechanism for checking the operation of analogue-to-digital converters, or is a mechanism for checking the clock frequency of the first processor, or is a mechanism for performing checks on the ability of the first processor to execute its defined instruction set, or is a mechanism for checking duplicated variables (as defined in Reference 2) that are employed in the first processor, or is a mechanism for checking the operating voltage of the first processor, or is a mechanism for checking the operating temperature of the first processor, or is a mechanism for checking the operation of one or more external watchdog controllers (see Reference 2) that are connected to the first processor, or is a mechanism for checking the operation of the interrupts on the first processor, or is a mechanism for checking the operation of a watchdog timer that is incorporated in the first processor or is external to the first processor, or is a mechanism for checking the memory in the first processor, or is a mechanism for checking for corruption in the registers in the first processor, or is a mechanism for checking for corruption in the software configuration in the first processor, or is a mechanism for checking for corruption in the stack in the first processor, or is a mechanism for performing timeout checks during the operation of the first processor (as defined in Reference 2).
Aptly, the first processor core is further adapted to:
Aptly, the first processor core is further adapted to:
Aptly, the first processor core is further adapted to:
Aptly, the first predetermined time period is the Process Safety Time or Fault Tolerant Time Interval.
Aptly, the first predetermined time period is equal to or less than 100 ms.
Aptly, the first predetermined time period is equal to or less than 90 ms, optionally 80 ms, optionally 70 ms, optionally 60 ms, optionally 50 ms, optionally 40 ms, optionally 30 ms, optionally 20 ms, optionally 10 ms.
Aptly, the second processor core is further adapted to:
Aptly, the second monitoring process is a Task Execution Time Monitoring Mechanism (TETMM) or is a mechanism for checking the task execution sequence (as documented in Reference 2), or is a mechanism for checking the operation of analogue-to-digital converters, or is a mechanism for checking the clock frequency of the second processor, or is a mechanism for performing checks on the ability of the second processor to execute its defined instruction set, or is a mechanism for checking duplicated variables (as defined in Reference 2) that are employed in the second processor, or is a mechanism for checking the operating voltage of the second processor, or is a mechanism for checking the operating temperature of the second processor, or is a mechanism for checking the operation of one or more external watchdog controllers (see Reference 2) that are connected to the second processor, or is a mechanism for checking the operation of the interrupts on the second processor, or is a mechanism for checking the operation of a watchdog timer that is incorporated in the second processor or is external to the second processor, or is a mechanism for checking the memory in the second processor, or is a mechanism for checking for corruption in the registers in the second processor, or is a mechanism for checking for corruption in the software configuration in the second processor, or is a mechanism for checking for corruption in the stack in the second processor, or is a mechanism for performing timeout checks during the operation of the second processor (as defined in Reference 2).
Aptly, the second processor core is further adapted to:
Aptly, the second processor core is further adapted to:
Aptly, the second processor core is further adapted to:
Aptly, the second predetermined time period is the Process Safety Time or Fault Tolerant Time Interval.
Aptly, the second predetermined time period is equal to or less than 100 ms.
Aptly, the second predetermined time period is equal to or less than 90 ms, optionally 80 ms, optionally 70 ms, optionally 60 ms, optionally 50 ms, optionally 40 ms, optionally 30 ms, optionally 20 ms, optionally 10 ms.
It will be appreciated that the features described hereinabove with respect to the first aspect of the present invention are also applicable to the seventh aspect of the present invention.
According to an eighth aspect of the present invention there is provided a computer-implemented method for determining if at least one Power-On Self-Test and/or Built-in Self-Test has passed or failed, comprising the steps of:
Aptly, the method further comprises:
Aptly, the first monitoring process is a Task Execution Time Monitoring Mechanism (TETMM) or is a mechanism for checking the task execution sequence (as documented in Reference 2), or is a mechanism for checking the operation of analogue-to-digital converters, or is a mechanism for checking the clock frequency of the first processor, or is a mechanism for performing checks on the ability of the first processor to execute its defined instruction set, or is a mechanism for checking duplicated variables (as defined in Reference 2) that are employed in the first processor, or is a mechanism for checking the operating voltage of the first processor, or is a mechanism for checking the operating temperature of the first processor, or is a mechanism for checking the operation of one or more external watchdog controllers (see Reference 2) that are connected to the first processor, or is a mechanism for checking the operation of the interrupts on the first processor, or is a mechanism for checking the operation of a watchdog timer that is incorporated in the first processor or is external to the first processor, or is a mechanism for checking the memory in the first processor, or is a mechanism for checking for corruption in the registers in the first processor, or is a mechanism for checking for corruption in the software configuration in the first processor, or is a mechanism for checking for corruption in the stack in the first processor, or is a mechanism for performing timeout checks during the operation of the first processor (as defined in Reference 2).
Aptly, the method further comprises:
Aptly, the method further comprises:
Aptly, the method further comprises:
Aptly, the first predetermined time period is the Process Safety Time or Fault Tolerant Time Interval.
Aptly, the first predetermined time period is equal to or less than 100 ms.
Aptly, the first predetermined time period is equal to or less than 90 ms, optionally 80 ms, optionally 70 ms, optionally 60 ms, optionally 50 ms, optionally 40 ms, optionally 30 ms, optionally 20 ms, optionally 10 ms.
Aptly, the method further comprises:
Aptly, the second monitoring process is a Task Execution Time Monitoring Mechanism (TETMM) or is a mechanism for checking the task execution sequence (as documented in Reference 2), or is a mechanism for checking the operation of analogue-to-digital converters, or is a mechanism for checking the clock frequency of the second processor, or is a mechanism for performing checks on the ability of the second processor to execute its defined instruction set, or is a mechanism for checking duplicated variables (as defined in Reference 2) that are employed in the second processor, or is a mechanism for checking the operating voltage of the second processor, or is a mechanism for checking the operating temperature of the second processor, or is a mechanism for checking the operation of one or more external watchdog controllers (see Reference 2) that are connected to the second processor, or is a mechanism for checking the operation of the interrupts on the second processor, or is a mechanism for checking the operation of a watchdog timer that is incorporated in the second processor or is external to the second processor, or is a mechanism for checking the memory in the second processor, or is a mechanism for checking for corruption in the registers in the second processor, or is a mechanism for checking for corruption in the software configuration in the second processor, or is a mechanism for checking for corruption in the stack in the second processor, or is a mechanism for performing timeout checks during the operation of the second processor (as defined in Reference 2).
Aptly, the method further comprises:
wherein a sequence of second BISTs and a time interval between respective second BISTs performed on the second monitoring process is predetermined.
Aptly, the method further comprises:
Aptly, the method further comprises:
Aptly, the second predetermined time period is the Process Safety Time or Fault Tolerant Time Interval.
Aptly, the second predetermined time period is equal to or less than 100 ms.
Aptly, the second predetermined time period is equal to or less than 90 ms, optionally 80 ms, optionally 70 ms, optionally 60 ms, optionally 50 ms, optionally 40 ms, optionally 30 ms, optionally 20 ms, optionally 10 ms.
It will be appreciated that the features described hereinabove with respect to the second aspect of the present invention are also applicable to the eighth aspect of the present invention.
According to a ninth aspect of the presently claimed invention there is provided a computer program comprising instructions which, when executed by a computer, cause the computer to carry out the steps of the method according to the eighth aspect of the present invention.
According to a tenth aspect of the present invention there is provided a time-triggered computer system comprising:
According to an eleventh aspect of the present invention there is provided a time-triggered computer system comprising:
Certain embodiments of the present invention provide a computer system that executes scheduled tasks with increased reliability and a reduced likelihood of a critical failure.
Certain embodiments of the present invention provide a computer system with a reduced likelihood of disruption as the need for processor resets is reduced.
Certain embodiments of the present invention provide a computer system that executes scheduled tasks with a higher level of diagnostic coverage.
Certain embodiments of the present invention provide a computer system and associated method that enables a series of Built-In Self-Tests to be performed and checked within the PST/FTTI.
Certain embodiments of the present invention provide a more reliable time-triggered computer system.
Certain embodiments of the present invention provide a computer system for use in safety critical environments, which has a lower likelihood of critical failure and thus improved safety.
Certain embodiments of the present invention provide a computer system which has a lower likelihood of failure and thus improved reliability.
Certain embodiments of the present invention provide a computer system with two processors or processor cores that each perform tasks according to a predetermined task schedule.
Certain embodiments of the present invention provide a computer system with two processors or processor cores that each perform tasks according to a predetermined task schedule and that can each control external devices via their respective outputs.
Certain embodiments of the present invention provide a computer system with a first processor or first processor core that performs POSTs and BISTs, with the results of these tests being checked independently by a second processor or processor core.
Certain embodiments of the present invention provide a computer system with two processors or processor cores that perform POSTs and BISTS, whereby each processor or processor core performs an independent cross-check of the results of the POSTs and BISTs performed by the other processor or processor core.
Certain embodiments of the present invention provide a computer system with a first and second processor (or processor core), whereby the second processor (or processor core) can place the system into a safe state if it determines that the first processor (or processor core) has failed a POST or BIST.
Certain embodiments of the present invention provide a computer system with fail-operational behaviour, whereby a first processor (or processor core) can continue to operate in the event that a second processor (or processor core) stops operating correctly.
Embodiments of the present invention will now be described hereinafter, by way of example only, with reference to the accompanying drawings in which:
In the drawings like reference numerals refer to like parts.
Certain embodiments of the present invention can be implemented in order to improve the safety and reliability of computer systems that comprise one or more processors, some or all of which have been configured to run tasks according to a predetermined task schedule. It will be appreciated that whilst the following embodiments are described with respect to a system having two processors, other embodiments of the present invention may make use of a system with two processor cores which execute the same or similar steps as the examples with two processors.
In each of these system modes, Processor-A performs one or more BISTs without performing a processor reset. Processor-A then reports data (first data) from each BIST to Processor-M 502 by means of BIST-Data-A messages 504 that are transmitted over the Communication Channel 503 as part of one or more messages sent between Processor-A and Processor-M. In each of these system modes, Processor-A also compares the contents of BIST-Data-M messages 505 (sent by Processor-M over the Communication Channel as part of one or more messages sent between Processor-M and Processor-A) with data (fourth data) about the expected results from each of a series of BISTs performed by Processor-M. In certain embodiments of the present invention, in each of these system modes Processor-A may also perform one or more BISTs that include performing a processor reset. However, a processor rest is not always required when performing a BIST. In each of these system modes, Processor-A also executes one or more tasks according to a predetermined task schedule.
Computer system 500 also has a Processor-M 502 adapted to perform a series of POSTs which involves a processor reset. However, a processor rest is not always required when performing a POST. Processor-M then reports data (third data) from each POST to Processor-A 501 by means of POST-Data-M messages 505 that are transmitted over the Communication Channel 503 as part of one or more messages sent between Processor-M and Processor-A. Processor-M is also adapted to compare the contents of POST-Data-A messages 504 (sent by Processor-A over a Communication Channel as part of one or more messages sent between Processor-A and Processor-M) with data (second data) about the expected results from each of a series of POSTs performed by Processor-A. Thereafter, Processor-M is adapted to operate in one of one or more pre-determined system modes.
In each of these system modes, Processor-M performs one or more BISTs without performing a processor reset and reports data (third data) from each BIST to Processor-A by means of BIST-Data-M messages 504 sent over the Communication Channel. In each system mode, Processor-M is further adapted to compare the contents of BIST-Data-A messages 504 sent by Processor-A over the Communication Channel 503 with data (second data) about the expected results from each of a series of BISTs performed by Processor-A. In certain embodiments of the present invention, in each system mode Processor-M also performs one or more BISTs that include performing a processor reset. However, a processor reset is not always required when performing a BIST.
Also included within the computer system 500 is a memory element (not shown) that stores the software to be executed by the first processor and the second processor. This includes the software associated with each of the POSTs and each of the BISTs and the software associated with the predetermined task schedule to be executed on the first processor. It will be appreciated that according to certain other embodiments of the present invention, multiple memory elements may be provided that each stores the respective software to be executed on a specific processor. It will also be appreciated that these memory elements may be external or internal to the first processor and second processors. For example, the first and second processor may each have their own internal memory element.
Also included within the computer system 500 is the Communication Channel 503 adapted to support the transmission of messages between Processor-A and Processor-M, and to support the transmission of messages between Processor-M and Processor-A. That is to say, the Communication Channel is bi-directional.
The computer system 500 also includes a first input (referred to as Input-A) 506 adapted to enable Processor-A to acquire data for any tasks that execute on Processor-A and a first output (referred to as Output-A) 507 adapted to enable Processor-A to generate any safety-related outputs from the computer system. These outputs are generated if it is determined by Processor-A by means of tasks, self tests and Monitor-A that Processor-A is operating correctly and if it is determined by means of tasks and eBIST-Data-M messages that Processor-M is also operating correctly.
The computer system 500 also has a first monitor element (referred to as Monitor-A) 508 adapted to enable Processor-A to determine whether Output-A 507 is in its required state.
The computer system 500 also has a first control element (referred to as Control-M) 509 adapted to ensure that any and all safety-related outputs from the computer system are held in a safe state. Control-M holds outputs in a safe state if, by means of eBIST-Data-A messages, Processor-M determines that Processor-A may not be operating correctly, or if, by means of self tests or Monitor-M 510, Processor-M determines that itself may not be operating correctly.
The computer system 500 also has a second monitor element (referred to as Monitor-M) 510 adapted to enable Processor-M to determine whether Control-M is in its required state.
In accordance with this embodiment, a computer system is provided that executes scheduled tasks with increased reliability and a reduced likelihood of a critical failure.
The computer system 500 is arranged to execute sets of tasks in accordance with one or more predetermined system modes under control of a Processor-A. The task schedules for each task set on Processor-A determine the order in which tasks are executed and specify whether or not specific tasks are allowed to pre-empt (or interrupt) other tasks.
In
In
In
The computer system 500 is arranged to monitor the operation of Processor-A by means of Processor-M.
As noted above, Processor-M will operate in accordance with one or more predetermined system modes.
In
In
In
As with a conventional computer system, both POSTs and BISTs are performed in the computer system 500. In this specification, these self-tests may be referred to as external POSTs (ePOSTs) and external BISTs (eBISTs). In this context, ‘external’ means that the ePOST or eBIST is carried out within the system by the processor concerned (that is, the processor tests itself), but the results of these tests are also reported to—and checked by—a second processor in the system.
It will be appreciated that in this system 500, Processor-M checks the results of POSTs and BISTs that are performed on Processor-A while Processor-A checks the results of POSTs and BISTs that are performed on Processor-M. However, it will be appreciated that according to certain other embodiments of the present invention, the results of POSTs and BISTs performed by Processor-A may be checked by other processors in addition to or as an alternative to Processor-M. It will also be appreciated that the results of POSTs or BISTs performed by Processor-M may be checked by other processors (e.g., a third processor (not shown)) in addition to or as an alternative to Processor-A.
In
Processor-M will then compare the contents of each ePOST-Data-A message with the expected results of the corresponding ePOST. By means of this comparison, Processor-M will determine whether the ePOST performed on Processor-A has passed or has failed.
In
Additionally, in
In
In
In
In
In
Whilst in
In
Processor-A compares the contents of each ePOST-Data-M message with the expected results of the corresponding ePOST. By means of this comparison, Processor-A determines whether the ePOST performed on Processor-M has passed or has failed.
In
In
In
In
In
In
In
Whilst in
The Communication Channel 503 is adapted to support the transmission of ePOST-Data-A messages and eBIST-Data-A messages between Processor-A and Processor-M, and to support the transmission of ePOST-Data-M messages and eBIST-Data-M messages between Processor-M and Processor-A.
In
In
In
In
In
In
In
In
In
It will be appreciated that according to certain other embodiments of the present invention, Monitor-A has one or more analogue input pins on Processor-A plus associated external interfacing hardware that is required to adapt voltages from one or more analogue output pins on Output-A to meet the voltage requirements of the analogue input pins on Processor-A.
In
In
In
According to certain other embodiments of the present invention, Control-M has one or more analogue switches that provide a means of disabling one or more analogue output pins on Processor-A. A Fail-Safe State on any analogue output pins is also a 0V output although it will be appreciated that other Fail-Safe States could be used in other embodiments of the present invention.
In
In
However, according to certain other embodiments of the present invention, Monitor-M has one or more analogue input pins on Processor-M plus associated external interfacing hardware that is required to adapt voltages in the system environment to meet the voltage requirements of the analogue input pins and provide any necessary filtering of input signals.
In
Turning now to
In this context, the use of ePOST and eBIST refers to the fact that the tests performed are subject to assessment by an external processor. This means that, for example in
In
It will be appreciated that, in the example of
It will be appreciated that data is generated for each ePOST performed. This data may be referred to as a test report. The data/test report that is generated by the processor that is performing ePOSTs includes test results. For example, the data may include data defining a predefined ‘Processor Fault Code’ (or PFC) that identifies the fault that was detected when a particular fault was injected in the system during a given ePOST check. For example, PFC ‘3’ may indicate that a test of the iTETMM triggered a fault indicates that a task overrun was detected. This PFC value (3) is then reported to the processor that is performing the checks.
Additionally, the data/test report that is generated by the processor that is performing ePOSTs will also include test data. For example, tests of an analogue-to-digital converter (ADC) may involve reading values from a fixed reference voltage. The values read from the reference voltage in such tests are reported to the (monitoring) processor that is performing checks of the ePOSTs, so that the monitoring processor can repeat the checks.
Additionally, according to certain embodiments of the present invention, the data/test reports that are generated by the processor that is performing ePOSTs are also generated in a pre-determined sequence. This may mean, as a non-limiting example, that if PFCs are reported during ePOSTs and there are 10 ePOSTs performed, that the PFC sequence {1, 2, 3, 4, 5, 6, 7, 8, 9, 10} may be reported to the monitoring processor.
According to certain embodiments of the present invention, the data/test reports that are generated by the processor that is performing ePOSTs are also generated at pre-determined time intervals. This may mean, as a non-limiting example, that if PFCs are reported during ePOSTs and there are 10 ePOSTs performed, that the PFCs are reported with a maximum time interval of 50 ms between each report.
If the processor that is performing the ePOSTs determines that any of these tests has failed in a fourth step 604, then the system—in this example—is intended to enter (and remain in) a Fail-Safe State in a fifth step 605. The way in which a given processor can enter a Fail-Safe State may depend on the processor's role in the system.
For example, if Processor-A in
If Processor-M in
Returning to
It will be appreciated that, in the example in
If the processor that is performing eBISTs detects a test failure in a tenth step 610, the system will enter and remain in a Fail-Safe State in an eleventh step 611. As with ePOSTs, the way in which a given processor can enter a Fail-Safe State may depend on the processor's role in the system.
For example, if Processor-A in
If Processor-M in
Returning to
It will be appreciated that in a typical design the system will-after power is applied in the first step 601—keep operating as indicated in the sixth step 606 until a fault is detected as indicated by steps 604, 605, 610, 611 or until power is removed from the system in a twelfth step 613.
As noted above,
Turning now to the process 700 shown in
For example, if Processor-A in
If Processor-M in
Returning to
In situations where—as in
If no timeout occurs in the fourth step 704, the checking process then involves confirming that the results of the ePOST report are correct in a sixth step 706.
As noted above, the expected sequence of ePOST test reports can be known in advance. This will provide greater confidence in the testing process by allowing the processor performing the checking process to ensure that—for example—the processor being checked is not simply ‘stuck in a loop’ where it performs the same test repeatedly. It will be appreciated that this type of ‘looping’ behaviour may not be detected by the processor being checked in a traditional computer system.
As noted above, the test reports that are generated by the processor that is performing ePOSTs include test results (such as PFCs) and test data. Where test data is provided, this will provide greater confidence in the testing process by allowing the processor performing the checking process to use the data provided to repeat some of the test process that was conducted on the processor that was performing the test. As a non-limiting example, an ePOST might involve checking that the processor performing the ePOST is being operated at an ambient temperature that is within the range specified by the manufacturer of the processor. A fault injection in this case might involve simulating an input (on the processor performing the test) from a temperature sensor that is above the maximum temperature range permitted for the processor. In this case, the processor that was performing the test may send both a test result and the injected (high) temperature value to the processor that was performing the test. The processor performing the checking process can then confirm the assessment carried out by the processor performing the test.
In situations where—as shown in
In situations where—as shown in
For example, if Processor-A in
If Processor-M in
Returning back to
In situations where—as shown in
If no timeout occurs in the tenth step 710, the checking process then involves confirming that the results of the eBIST report are correct in a twelfth step 712.
As noted above, the expected sequence of eBIST test reports can be known in advance. This provides greater confidence in the testing process by allowing the processor performing the checking process to ensure that—for example—the processor being checked is not simply ‘stuck in a loop’ where it performs the same test repeatedly. Again, it will be appreciated that this type of ‘looping’ behaviour may not be detected by the processor being checked.
As noted above, the test reports that are generated by the processor that is performing eBISTs has test results (such as PFCs) and test data. Where test data are provided, this will provide greater confidence in the testing process by allowing the processor performing the checking process to use the data provided to repeat some of the test process that was conducted on the processor that was performing the test.
In situations where—as shown in
In situations where—as shown in
The process 700 described with respect to
It will be appreciated that-unlike the iPOST/iBIST process performed by a conventional computer system (illustrated by way of example in
It will also be appreciated that, as in
It will also be appreciated that-when compared with the test process in a conventional computer system (as illustrated in
In other words, the very basic monitoring system that is common in traditional computer systems (a dynamic switch that might be easily fooled) is being replaced with a more advanced monitoring system (one that contains much more information about the expected states of the processor being monitored and is-therefore-better able to detect if the processor being monitored is operating correctly).
It will also be appreciated that ePOSTs (illustrated by way of example in
It will also be appreciated that-unlike a conventional computer system-eBISTs (illustrated by way of example in
It will be appreciated that by avoiding resets during eBISTs (or, at least, significantly reducing the number of such resets), designs that are implemented in accordance with
Turning now to
In this computer system 800, there is a Digital-Input-A 806, a Digital-Output-A 803 and Comms-A1 805. The computer system also has a first monitor element (Monitor-A) made up of feedback 804 from Digital-Output-A 803 and feedback from Comm-A2 807.
The computer system 800 also has a control element (Control-M) that is comprised of a digital output pin 812 on Processor-M 808. This output pin 812 is used to enable or disable Digital-Output-A (by means of Control-M input 814) and to enable or disable Comms-A1 (by means of Control-M input 815).
The computer system also has a second monitor element (Monitor-M) that is comprised of feedback 813 on the state of Control-M 812 by means of one or more digital input pins on Processor-M.
Processor-A 801 is responsible for keeping track of the flow of coolant through a pipe as part of a hydrogen fuel cell in an automotive system. If the rate of coolant falls below a pre-determined threshold, the fuel cell 802 is disabled by means of a Digital-Output-A interface 803. In
Processor-A 801 is also responsible for reporting the coolant flow rate over a CAN bus (to another system in the vehicle, such as the main Vehicle Control Unit) by means of the Comms-A1 interface 805. Processor-A 801 is also capable of monitoring (that is, reading back) messages that are sent on the CAN bus by Comms-A1 805 by means of the Comms-A2 interface 807.
Processor-A 801 is capable of monitoring its own digital outputs by means of feedback 804 from Digital-Output-A 803.
Processor-A 801 performs ePOSTs and eBISTs as illustrated in
Processor-M 808 monitors the ePOSTs and eBISTs that are performed on Processor-A as illustrated in
To monitor the ePOSTs and eBISTs, Processor-M 808 is linked to Processor-A 801 by means of a communication channel 809. Messages are sent from Processor-A to Processor-M 810 by means of this communication channel while ePOSTs and eBISTs are performed on Processor-A.
Messages sent from Processor-A to Processor-M in
In
In
In
In a similar way, Processor-A 801 monitors the ePOSTs and eBISTs that are performed on Processor-M 808 as illustrated in
To monitor the ePOSTs and eBISTs, messages are sent from Processor-M 808 to Processor-A 801 by means of the communication channel 809 while ePOSTs and eBISTs are performed on Processor-M.
Messages sent from Processor-M to Processor-A in this example include ePOST-Data-A and eBIST-Data-A messages. These messages include fault-injection data plus the results from the related tests.
In
In
Processor-M attempts to shut down the fuel cell by means of the Control-M 812 output. This Control-M output disables Digital-Output-A 803 (thereby, in this example, disabling the fuel cell) via Control-M input 814. Activation of the Control-M output will also disable Comms-A1 805 via Control-M Input 815. This prevents Processor-A from sending any further messages on the CAN bus. In this way, Processor-M attempts to ensure that the system enters a Fail-Safe State.
It will be appreciated that-when compared with the conventional design solution presented in
It will be appreciated that, unlike conventional computer systems, the computer system 800 comprises a means of performing comprehensive periodic self tests on a Processor-A while the system is operating without disrupting the operation of Processor-A, including the outputs from Processor-A.
It will also be appreciated that, unlike a conventional computer system, the periodic eBISTs that are performed on Processor-A can be performed very frequently, because they do not interfere with the normal operation of the system; in particular, performing all such tests within the PST/FTTI (which we assume takes place in this example) can increase confidence that the system is able to operate safely.
It will be appreciated that in the system shown schematically in
It will also be appreciated many embedded computer systems employ two processors that (both) execute tasks. Such an architecture is particularly common in designs that are ‘safety critical’ in nature.
A computer system 900 which shows how such a two-processor architecture can be implemented in accordance with an embodiment of the present invention is illustrated in
Processor-A also compares the contents of ePOST-Data-B messages 905 sent by Processor-B over the Communication Channel as part of one or more messages sent between Processor-B and Processor-A with the expected results from each of those ePOSTs. Processor-A then operates in one of one or more pre-determined system modes.
In each of these system modes Processor-A 901 performs one or more eBISTs without performing a processor reset and reports data from each eBIST to Processor-B 902 by means of eBIST-Data-A messages 904 that are transmitted over the Communication Channel 903 as part of one or more messages sent between Processor-A and Processor-B. In each system mode Processor-A also compares the contents of eBIST-Data-B messages 905 sent by Processor-B over a Communication Channel as part of one or more messages sent between Processor-B and Processor-A with the expected results from each of those eBISTs. In each system mode Processor-A also performs one or more eBISTs that include performing a processor reset. However, it will be appreciated that in certain other embodiments of the present invention, Processor-A may not perform any eBISTs involving a processor reset. In
Processor-B 902 is likewise adapted to perform a series of ePOSTs which involve a processor reset. As discussed above, in certain other embodiments of the present invention ePOSTs are performed without a processor reset. Processor-B 902 then reports data from each ePOST to Processor-A 901 by means of ePOST-Data-B messages 905 that are transmitted over the Communication Channel 903 as part of one or more messages sent between Processor-B and Processor-A. Processor-B is also adapted to compare the contents of ePOST-Data-A messages 904 sent by Processor-A over the Communication Channel as part of one or more messages sent between Processor-A and Processor-B with the expected results from each of those ePOSTs. Processor-B is then adapted to operate in one of one or more pre-determined system modes.
In each system mode Processor-B 902 performs one or more eBISTs without performing a processor reset and reports data from each eBIST to Processor-A by means of eBIST-Data-B messages 905 sent over the Communication Channel 903. In each system mode Processor-B also compares the contents of eBIST-Data-A messages 904 sent by Processor-A over the Communication Channel 903 with the expected results from each of those eBISTs. Processor-B also performs one or more eBISTs that include performing a processor reset in each system mode. However, it will be appreciated that in certain other embodiments of the present invention, Processor-B may not perform any eBISTs involving a processor reset. In
Also included within the computer system 900 is a memory element (not shown) that stores the software to be executed by the first processor and the second processor. This includes the software associated with each of the POSTs and each of the BISTs and the software associated with the predetermined task schedules to be executed on the first processor and second processor. It will be appreciated that according to certain other embodiments of the present invention, multiple memory elements may be provided that each stores the respective software to be executed on a specific processor. It will also be appreciated that these memory elements may be external or internal to the first processor and second processors. For example, the first and second processor may each have their own internal memory element.
The system 900 includes the Communication Channel 903 adapted to support the transmission of messages between Processor-A and Processor-B, and to support the transmission of messages between Processor-B and Processor-A.
The system 900 also has an Input-A 906 adapted to enable Processor-A to acquire data for any tasks that execute on Processor-A, and an Output-A 907 adapted to enable Processor-A to generate any safety-related outputs from the computer system. The outputs are generated when Processor-A determines that (by means of tasks, self tests and Monitor-A) Processor-A itself is operating correctly and Processor-A also determines that (by means of tasks and eBIST-Data-B messages) Processor-B is also operating correctly.
The system 900 also has a Monitor-A 908 adapted to enable Processor-A to determine whether Output-A 907 is in its required state. System 900 also includes a Control-B 909 adapted to ensure that any and all safety-related outputs from the computer system are held in a safe state. The outputs are held in a safe state by Control-B if, by means of eBIST-Data-A messages, Processor-B determines that Processor-A may not be operating correctly, or if, by means of self tests or Monitor-B 910, Processor-B determines that Processor-B itself may not be operating correctly.
The system 900 also has a Monitor-B 910 adapted to enable Processor-B to determine whether Output-A 907 is in its required state and whether Control-B is in its required state.
System 900 also includes an Input-B 911 adapted to enable Processor-B to acquire data for any tasks that execute on Processor-B.
It will be appreciated that the computer system 900 is arranged to execute sets of tasks in accordance with one or more predetermined system modes under control of a Processor-A. The task schedules for each task set on Processor-A determine the order in which tasks are executed and specify whether or not specific tasks are allowed to pre-empt other tasks.
The computer system 900 is also arranged to execute sets of tasks in accordance with one or more predetermined system modes under control of a Processor-B. The task schedules for each task set on Processor-B determine the order in which tasks are executed and specify whether or not specific tasks are allowed to pre-empt other tasks.
Again, in this context, the use of ePOST and eBIST refers to the fact that the tests performed are subject to assessment by an external processor. This means that—for example—in
Processor-A 901 and Processor-B 902 both include a single hardware core and a single “hard” processor core. However, in certain other embodiments of the present invention it will be appreciated that Processor-A and/or Processor-B may comprise one or more “soft” or “hard” processor cores (that execute some software) and/or one or more hardware cores (that do not execute any software).
Processor-A 901 and Processor-B 902 are commercial-off-the-shelf (COTS) microprocessors. However, in certain other embodiments of the present invention it will be appreciated that Processor-A and/or Processor-B may comprise one or more processor chips, such as a commercial-off-the-shelf (COTS) microcontroller or microprocessor, Digital Signal Processor (DSP), Field-Programmable Gate Array (FPGA), Application Specific Integrated Circuit (ASIC) or similar devices. In certain other embodiments of the present invention it will be appreciated that Processor-A may one or more processor cores on one or more commercial-off-the-shelf (COTS) microcontrollers or microprocessors, Digital Signal Processors (DSP), Field-Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs) or similar devices.
In
The computer system 900 is arranged to monitor the operation of Processor-A by means of Processor-B.
The computer system 900 is arranged to monitor the operation of Processor-B by means of Processor-A.
In
It will be appreciated that in this system 900, Processor-B checks the results of ePOSTs and eBISTs that are performed on Processor-A while Processor-A checks the results of ePOSTs and eBISTs that are performed on Processor-B.
Processor-A 901 performs ePOSTs that involve a processor reset and reports data from each ePOST to Processor-B by means of ePOST-Data-A messages that are sent over the Communication Channel. Processor-B 902 then compares the contents of each ePOST-Data-A message with the expected results of the corresponding ePOST. By means of this comparison, Processor-B determines whether the ePOST performed on Processor-A has passed or has failed.
Likewise, Processor-B performs ePOSTs that involve a processor reset and reports data from each ePOST to Processor-A by means of ePOST-Data-B messages that are sent over the Communication Channel. Processor-A then compares the contents of each ePOST-Data-B message with the expected results of the corresponding ePOST. By means of this comparison, Processor-A determines whether the ePOST performed on Processor-B has passed or has failed.
In
In
In
Likewise, Processor-B performs eBISTs during its normal operation that do not require processor resets and reports data from each eBIST to Processor-A by means of eBIST-Data-B messages that are sent over the Communication Channel. Processor-A then compares the contents of each eBIST-Data-B message with the expected results of the corresponding eBIST. By means of this comparison, Processor-A determines whether the eBIST performed on Processor-B has passed or has failed.
In
In
As noted above, in
In
In
In
In
In
The Input-A 906 includes a software and hardware interface to one or more serial communication buses (such as CAN or Ethernet or RS-232′ or SPI).
In
In
In
In
It will be appreciated that in certain other embodiments, the Monitor-A 908 may be connected to one or more digital output pins on Output-A and comprises one or more digital input pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the digital input pins.
In
In
In
It will also be appreciated that in certain other embodiments of the present invention, Control-B may comprise one or more digital switches that provide a means of disabling one or more digital output pins on Processor-A. In such embodiments, a Fail-Safe State on any digital output pins may be a 0V output or another appropriate output.
It will also be appreciated that in certain other embodiments of the present invention, Control-B may comprise one or more digital switches that provide a means of disabling transceivers that provide a link to one or more serial communication buses (such as CAN or Ethernet or RS-232′ or SPI), thereby allowing Processor-B to prevent Processor-A from sending any messages on said communication buses when Control-B is in a Fail-Safe State.
In
It will also be appreciated that in certain other embodiments of the present invention, Monitor-B may comprise one or more digital input pins on Processor-B plus any associated external interfacing hardware that may be required to adapt voltages from one or more digital output pins on Output-A and Control-B to meet the voltage requirements of the digital input pins on Processor-B.
In
SPI) that are connected to Processor-A or Processor-B in a manner that allows Processor-B to monitor any communications on the one or more communication buses.
In
It will however be appreciated that in certain other embodiments of the present invention, Input-B comprises one or more digital input pins on Processor-B plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the digital input pins.
In
Turning now to
The system of
In
In
In
The coolant flow rate is determined by means of sensors connected to the Digital-Input-A interface 1006 and the Digital-Input-B interface 1016. The flow rate is determined for example from a pulse chain that is generated by suitable sensors (one connected to the Digital-Input-A and another connected to the Digital-Input-B). For both sensors-a high pulse rate corresponds to a high (coolant) flow rate.
The threshold level can be adjusted by means of the Digital-Input-A interface 1006 and the Digital-Input-B interface 1016.
In
Processor-A 1001 is capable of monitoring its own digital outputs by means of feedback 1004 from Digital-Output-A 1003.
Processor-B 1008 is also capable of monitoring the digital outputs from Processor-A 1001 by means of feedback 1013 from Digital-Output-A 1003.
Processor-A 1001 performs ePOSTs and eBISTs as illustrated in
To monitor the ePOSTs and eBISTs, Processor-A and Processor-B are linked by means of the communication channel 1009. Messages are sent from Processor-A to Processor-B by means of this communication channel while ePOSTs and eBISTs are performed on Processor-A. Messages are sent from Processor-B to Processor-A by means of this communication channel while ePOSTs and eBISTs are performed on Processor-B.
Messages sent from Processor-A to Processor-B in this example include ePOST-Data-A and eBIST-Data-A messages. These messages include fault-injection data plus the results from the related tests.
Messages sent from Processor-B to Processor-A in this example include ePOST-Data-B and eBIST-Data-B messages. These messages include fault-injection data plus the results from the related tests.
In
In
In a similar way, Processor-A 1001 monitors the ePOSTs and eBISTs that are performed on Processor-B 1008 as illustrated in
To monitor the ePOSTs and eBISTs, messages are sent from Processor-B to Processor-A by means of the communication channel 1009 while ePOSTs and eBISTs are performed on Processor-B.
Messages sent from Processor-B to Processor-A in this example include ePOST-Data-A and eBIST-Data-A messages. These messages include fault-injection data plus the results from the related tests.
In the event that Processor-A determines by means of its own ePOSTs, its own eBISTs or by monitoring (by means of tasks in this example) its own outputs via feedback from Digital-Output-A 1004 that it is not operating correctly, or if Processor-A determines (by means of an analysis of the contents of ePOST-Data-B or eBIST-Data-B messages) that Processor-B may not be operating correctly, Processor-A attempts to shut down the fuel cell by means of Digital-Output-A 1003 and stops sending messages on Comms-A 1005. In this way, Processor-A attempts to ensure that the system enters a Fail-Safe State.
In the event that Processor-B determines by means of its own ePOSTs, its own eBISTs or by monitoring its Control-B 1012 output (by means of Monitor-B 101310181019) that it is not operating correctly, or if Processor-B determines (by means of an analysis of the contents of ePOST-Data-A or eBIST-Data-A messages) that Processor-A may not be operating correctly, Processor-B attempts to shut down the fuel cell by means of the Control-B 1012 output. This Control-B output disables Digital-Output-A 1003 (thereby disabling the fuel cell) via Control-B input 1014. Activation of the Control-B output also disables Comms-A 1005 via Control-B input 1015. This prevents Processor-A from sending any further messages on the CAN bus. In this way, Processor-B also attempts to ensure that the system enters a Fail-Safe State.
It will be appreciated that-when compared with the conventional design solution presented in
It will be appreciated that dual-processor computer systems of the type illustrated (for example) in
Turning now to
In each system mode Processor-A 1101 performs one or more eBISTs without performing a processor reset and reports data from each eBIST to Processor-B 1102 by means of eBIST-Data-A messages 1104 that are transmitted over the Communication Channel 1103 as part of one or more messages sent between Processor-A and Processor-B. In each system mode Processor-A also compares the contents of eBIST-Data-B messages 1105 sent by Processor-B over the Communication Channel as part of one or more messages sent between Processor-B and Processor-A with the expected results from each of those eBISTs. In each system mode Processor-A also performs one or more eBISTs that include performing a processor reset although as discussed above certain other embodiments of the present invention do not require BISTs to be performed that include a processor reset. In each system mode Processor-A also executes one or more tasks according to a predetermined task schedule.
Also included within system 110 is a second processor (Processor-B) 1102 adapted to perform a series of ePOSTs which involve a processor reset and to report data from each ePOST to Processor-A 1101 by means of ePOST-Data-B messages 1105 that are transmitted over the Communication Channel 1103 as part of one or more messages sent between Processor-B and Processor-A. Processor-B also compares the contents of ePOST-Data-A messages 1104 sent by Processor-A over the Communication Channel as part of one or more messages sent between Processor-A and Processor-B with the expected results from each of those ePOSTs. Thereafter, Processor-B 1102 operates in one of one or more pre-determined system modes.
In each system mode Processor-B performs one or more eBISTs without performing a processor reset and reports data from each eBIST to Processor-A by means of eBIST-Data-B messages 1105 sent over the Communication Channel 1103. In each system mode Processor-B 1102 also compares the contents of eBIST-Data-A messages 1104 sent by Processor-A over the Communication Channel 1103 with the expected results from each of those eBISTs. In each system mode Processor-B also performs one or more eBISTs that include performing a processor reset, although as discussed above processor resets during eBISTs are not performed in certain embodiments of the present invention. In each system mode Processor-B also executes one or more tasks according to a predetermined task schedule.
Also included within the computer system 1100 is a memory element (not shown) that stores the software to be executed by the first processor and the second processor. This includes the software associated with each of the POSTs and each of the BISTs and the software associated with the predetermined task schedules to be executed on the first processor and second processor. It will be appreciated that according to certain other embodiments of the present invention, multiple memory elements may be provided that each stores the respective software to be executed on a specific processor. It will also be appreciated that these memory elements may be external or internal to the first processor and second processors. For example, the first and second processor may each have their own internal memory element.
The system 1100 also has a Communication Channel 1103 adapted to support the transmission of messages between Processor-A and Processor-B and to support the transmission of messages between Processor-B and Processor-A 1105.
The system 1100 also has a first input (Input-A) 1106 adapted to enable Processor-A to acquire data for any tasks that execute on Processor-A and a first output (Output-A) 1107 adapted to enable Processor-A to generate any safety-related outputs from the computer system. These outputs generated by Processor-A if—by means of tasks, self tests and Monitor-A—Processor-A determines that Processor-A itself is operating correctly.
The system 1100 also includes a second output (Output-B) 1113 adapted to enable Processor-B to generate any safety-related outputs from the computer system. The outputs are generated by Processor-B if—by means of tasks, self tests and Monitor-B—Processor-B determines that Processor-B itself is operating correctly and if—by means of tasks and eBIST-Data-A messages—Processor-B determines that Processor-A is not operating correctly.
The system 1100 also includes a first monitor element (Monitor-A) 1108 adapted to enable Processor-A to determine whether Output-A 1107 and Output-B 1110 and System-Output 1115 are in their required states. The system 1100 also includes a second monitor element (Monitor-B) 1110 adapted to enable Processor-B to determine whether Output-A 1107 and Output-B 1110 and System-Output 1115 are in their required states.
The system 1100 also includes a first control element (Control-A) 1112 adapted to ensure that any and all safety-related outputs from Output-A 1107 are held in a safe state if—by means of self tests or Monitor-A 1108—Processor-A determines that Processor-A itself is not operating correctly.
The system 1100 also includes a second control element (Control-B) 1109 adapted to ensure that any and all safety-related outputs from Output-B 1113 are held in a safe state if—by means of self tests or Monitor-B 1110—Processor-B determines that Processor-B itself is not operating correctly.
In certain other embodiments of the present invention, Monitor-A 1108 may also determine whether Control-A and/or Control-B are in their required states. Likewise, in certain other embodiments of the present invention, Monitor-B 1110 may also determine whether Control-A and/or Control-B are in their required states.
Also included in system 1100 is a second input (Input-B) 1111 adapted to enable Processor-B to acquire data for any tasks that execute on Processor-B.
System 1100 also includes a System-Output-Logic element 1114 adapted to determine a single set of outputs from the system 1100 based on a combination of the outputs from Output-A 1107, Output-B 1113, Control-A 1112 and Control-B 1109. In the system 1100, a System-Output 1115 is adapted to generate a fail-operational output from the system 1100 based on the calculations performed by the System-Output-Logic element 1114.
Thus, it will be appreciated that the computer system 1100 executes scheduled tasks with increased reliability and a reduced likelihood of a critical failure.
The computer system 1100 is arranged to execute sets of tasks in accordance with one or more predetermined system modes under control of a Processor-A. The task schedules for each task set on Processor-A determine the order in which tasks are executed and specify whether or not specific tasks are allowed to pre-empt other tasks.
The computer system 1100 is also arranged to execute sets of tasks in accordance with one or more predetermined system modes under control of a Processor-B. The task schedules for each task set on Processor-B determine the order in which tasks are executed and specify whether or not specific tasks are allowed to pre-empt other tasks.
In
In
In
The computer system 500 is arranged to monitor the operation of Processor-A by means of Processor-B.
As noted above, Processor-B will operate in accordance with one or more predetermined system modes.
In
As with a conventional computer system, both POSTs and BISTs are performed in this system 1100.
Unlike a conventional computer system, in accordance with an aspect of this invention, such testing may be split into two categories: external Power-On Self Tests (ePOSTs) and external Built-In Self Tests (eBISTs). In this context, as noted above ‘external’ means that the ePOST or eBIST is carried out within the system by the processor concerned (that is, the processor tests itself), but the results of these tests are also reported to—and checked by—a second processor in the system.
It will be appreciated that in this system 1100, Processor-B checks the results of ePOSTs and eBISTs that are performed on Processor-A while Processor-A checks the results of ePOSTs and eBISTs that are performed on Processor-B. However, it will be appreciated that according to certain other embodiments of the present invention, the results of POSTs and BISTs performed by Processor-A may be checked by other processors in addition to or as an alternative to Processor-B. It will also be appreciated that the results of POSTs or BISTs performed by Processor-B may be checked by other processors (e.g., a third processor (not shown)) in addition to or as an alternative to Processor-A.
In
In
In
In
In
In
In
In
In
In
In
In
In
In
In
In
In
In
The computer system 1100 is arranged to have a Communication Channel that is adapted to support the transmission of ePOST-Data-A messages and eBIST-Data-A messages between Processor-A and Processor-B, and to support the transmission of ePOST-Data-B messages and eBIST-Data-B messages between Processor-B and Processor-A.
In
In
In
In
In
In
According to certain other embodiments of the present invention, Input-A may comprise one or more analogue input pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the analogue input pins and provide any necessary filtering of input signals.
In
In
According to certain other embodiments of the present invention, Output-A comprises analogue output pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the analogue output pins and provide any necessary filtering of output signals. In these embodiments, a Fail-Safe State on any analogue output pins on Output-A may have a 0V output or another output.
In
In
According to certain other embodiments of the present invention, Output-B comprises analogue output pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the analogue output pins and provide any necessary filtering of output signals. A Fail-Safe State on any analogue output pins on Output-B may be a 0V output or another output.
In
In
In certain alternative embodiments of the present invention, Monitor-A may comprise one or more analogue input pins on Processor-A plus any associated external interfacing hardware that may be required to adapt voltages from one or more analogue output pins on Output-A, Output-B and System-Output to meet the voltage requirements of the analogue input pins on Processor-A and provide any necessary filtering of input signals.
In
In
In certain alternative embodiments of the present invention, Monitor-B may comprise one or more analogue input pins on Processor-B plus any associated external interfacing hardware that may be required to adapt voltages from one or more analogue output pins on Output-A, Output-B and System-Output to meet the voltage requirements of the analogue input pins on Processor-B and provide any necessary filtering of input signals.
In
The computer system 1100 is arranged to have a Control-A adapted to ensure that any and all safety-related outputs from Output-A 1107 are held in a Fail-Safe State if—by means of self tests or Monitor-A—Processor-A determines that Processor-A itself may not be operating correctly.
In
In certain other embodiments of the present invention, Control-A comprises one or more analogue switches that provide a means of disabling one or more analogue output pins on Processor-A. A Fail-Safe State on any analogue output pins on Control-A will comprise a 0V output. Other outputs could of course be utilised.
In
The computer system is arranged to have a Control-B 1109 adapted to ensure that any and all safety-related outputs from Output-A are held in a Fail-Safe State if—by means of self tests or Monitor-B—Processor-B determines that Processor-B itself may not be operating correctly.
In
In certain alternative embodiments of the present invention, Control-B comprises one or more analogue switches that provide a means of disabling one or more analogue output pins on Processor-B. A Fail-Safe State on any analogue output pins on Control-B will comprise a 0V output although other outputs could of course be used.
In
The computer system 1100 is arranged to have a System-Output-Logic element 1114 adapted to determine a single set of outputs from the system based on a combination of the outputs from Output-A and Output-B. In
According to certain other embodiments of the present invention, the System-Output-Logic element includes a XOR (logic) operation in addition to or as an alternative to the OR (logic) operation for combining any digital outputs from Output-A and Output-B
According to certain other embodiments of the present invention, the System-Output-Logic element 1114 comprises one or more analogue switches that provide a means of combining any analogue outputs from Output-A and Output-B, thereby ensuring that only Processor-A or Processor-B (and not both) can generate analogue outputs at any given time.
In
In
In
In
In
A Fail-Safe State on any digital output pins on System-Output-Logic element is a 0V output. Other outputs could of course be used.
A Fail-Safe State on any analogue output pins on System-Output-Logic element is a 0V output. Other outputs could of course be used.
In
The computer system is arranged to have a System-Output 1115 adapted to generate a fail-operational output from the system based on the calculations performed by the System-Output-Logic.
In
In certain alternative embodiments of the present invention, the System-Output comprises analogue output pins plus any associated external interfacing hardware that may be required to adapt voltages in the system environment to meet the voltage requirements of the analogue output pins and provide any necessary filtering of output signals. A Fail-Safe State on any analogue output pins on System-Output will comprise a 0V output. Other outputs could of course be used.
In
Turning now to
In the example shown in
The two processors (Processor-A 1201 and Processor-B 1202) are linked by means of a Communication Channel 1203 that is used to exchange messages.
The computer system 1200 includes a Digital-Input-A 1206, a Digital-Input-B 1211, a Digital-Output-A 1207, Comms-A 1217, Digital-Output-B 1213 and Comms-B 1218.
In the system 1200, there is also a series of ‘OR’ gates 1214 that are used to combine the outputs from Digital-Output-A 1207 and Digital-Output-B 1213. This means that either Processor-A (by means of Digital-Output-A) or Processor-B (by means of Digital-Output-B) can generate the digital outputs needed to control the hydrogen fuel cell 1216.
In the system 1200, there is also a Digital-Monitor-A 1208 that monitors feedback 1228 from Digital-Output-A 1207, feedback from Comm-A 1217, and state of Digital-Output-B 1213). There is also a Digital-Monitor-B 1210 that monitors feedback 1227 from Digital-Output-B 1213, feedback from Comm-B 1218, and the state of Digital-Output-A 1207.
In
In
In the system 1200, the fuel cell 1216 can be disabled by means of a Digital-Output-A interface and/or by means of a Digital-Output-B interface (plus associated system-output-logic 1214 and Output circuitry 1215) if the rate of coolant falls below a pre-determined threshold.
In
Furthermore, Processor-A or Processor-B can (alone), by means of tasks executing on Processor-A or tasks executing on Processor-B, monitor the rate of coolant flow, if required. If one processor is performing this monitoring task then the level of confidence in the safe operation of this task may be lower. As a consequence, the system 1200 is configured so that it operates for a short period of time with a single processor. During this period, the system performs a controlled shutdown of the hydrogen fuel cell. Controlling the rate of fuel-cell shutdown gives the driver of the vehicle time to navigate to a safe location before the power provided by the fuel cell is removed from the system.
In the system 1200, either Processor-A 1201 (via the Comms-A interface 1217) or Processor-B 1202 (via the Comms-B interface 1218) reports the current coolant flow rate over a CAN bus (to another system in the vehicle, such as the main Vehicle Control Unit). Both the Comms-A and Comms-B interfaces are connected to the same CAN bus so that each processor can monitor the communications sent by the other processor on the (shared) CAN bus.
In the system 1200 of
When Processor-A is operating normally and Processor-B has entered a Fail-Safe State, Processor-A is responsible for reporting the coolant flow rate over the CAN bus by means of Comms-A interface 1217. In this situation, the coolant flow rate is determined by means of sensor(s) connected to Digital-Input-A interface 1206.
When Processor-B is operating normally and Processor-A has entered a Fail-Safe State, Processor-B is responsible for reporting the coolant flow rate over the CAN bus by means of Comms-B interface 1218. In this situation, the coolant flow rate is determined by means of sensor(s) connected to Digital-Input-B interface 1211.
The coolant threshold level can be adjusted by means of the Digital-Input-A interface 1206 and/or the Digital-Input-B interface 1211.
Processor-A 1201 is capable of monitoring (via Digital-Monitor-A 1208) its own digital outputs by means of feedback 1228 from Digital-Output-A 1207. Processor-B 1202 is also capable of monitoring (via Digital-Monitor-B 1210) its own digital outputs by means of feedback 1227 from Digital-Output-B 1213.
Processor-A can monitor the digital outputs from Processor-B by means of feedback from Digital-Output-B. Processor-B is also capable of monitoring the digital outputs from Processor-A by means of feedback from Digital-Output-A.
Processor-A 1201 and Processor-B performs ePOSTs and eBISTs according to the methodology illustrated in
Messages sent from Processor-A to Processor-B include ePOST-Data-A and eBIST-Data-A messages. These messages include fault-injection data and the results from the related tests. Messages sent from Processor-B to Processor-A include ePOST-Data-B and eBIST-Data-B messages. These messages include fault-injection data plus the results from the related tests.
The eBIST-Data-A messages include a message sequence number (so that an absence of eBIST-Data-A messages can be detected by Processor-B). The eBISTs on Processor-A are carried out in a pre-determined sequence. This allows Processor-B to determine whether these tests have been carried out in the expected order.
The eBISTs carried out include fault injection. Injecting a fault should result in generation of a Processor Fault Code (PFC) on Processor-A. This PFC is reported to Processor-B, along with the sequence number and eBIST identifier, in the eBIST-Data-A message. Because the eBIST is known on Processor-B and the expected PFC is also known on Processor-B, it is possible for Processor-B to check that the test was conducted successfully on Processor-A.
Processor-A 1201 monitors the ePOSTs and eBISTs that are performed on Processor-B according to the methodology as illustrated in
To monitor ePOSTs and eBISTs, messages are sent from Processor-B to Processor-A by means of the communication channel 1203 while ePOSTs and eBISTs are performed on Processor-B.
Messages sent from Processor-B to Processor-A include ePOST-Data-A and eBIST-Data-A messages. These messages include fault-injection data plus the results from the related tests.
In the event that Processor-A determines (by means of its own ePOSTs, its own eBISTs or by monitoring (by means of tasks in this example) its own outputs via feedback from Digital-Output-A 1207) that it is not operating correctly, Processor-A attempts to notify Processor-B that it is shutting down by means of the Communication Channel 1203. Processor-A then stops sending the pulse chain 1225 to Switch-A 1212 and attempts to shut itself down. In this way, Processor-A attempts to ensure that Processor-B (alone) can then continue to operate the hydrogen fuel cell.
In the event that Processor-B determines (by means of its own ePOSTs, its own eBISTs or by monitoring (by means of tasks in this example) its own outputs via feedback from Digital-Output-A 1213) that it is not operating correctly, Processor-B attempts to notify Processor-A that it is shutting down by means of the Communication Channel 1203. Processor-B then stops sending the pulse chain 1226 to Switch-B 1209 and attempts to shut itself down. In this way, if Processor-A is operating normally, Processor-B lets Processor-A control the hydrogen fuel cell alone.
In the event that Processor-B determines (by means of its own ePOSTs, its own eBISTs or by monitoring (by means of tasks in this example) its own outputs via feedback from Digital-Output-A 1213) that it is not operating correctly, and Processor-A is not operating normally, Processor-B attempts to ensure that the system enters a Fail-Safe State and that the hydrogen fuel cell is shut down.
In the event that Processor-A determines (by means of its own ePOSTs, its own eBISTs or by monitoring (by means of tasks in this example) its own outputs via feedback from Digital-Output-A 1207) that it is not operating correctly, and Processor-B is not operating normally, Processor-A attempts to ensure that the system enters a Fail-Safe State and that the hydrogen fuel cell is shut down.
It will be appreciated that, when compared with the conventional system presented in
Throughout the description and claims of this specification, the words “comprise” and “contain” and variations of them mean “including but not limited to” and they are not intended to (and do not) exclude other moieties, additives, components, integers or steps. Throughout the description and claims of this specification, the singular encompasses the plural unless the context otherwise requires. In particular, where the indefinite article is used, the specification is to be understood as contemplating plurality as well as singularity, unless the context requires otherwise.
Features, integers, characteristics or groups described in conjunction with a particular aspect, embodiment or example of the invention are to be understood to be applicable to any other aspect, embodiment or example described herein unless incompatible therewith. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and/or all of the steps of any method or process so disclosed, may be combined in any combination, except combinations where at least some of the features and/or steps are mutually exclusive. The invention is not restricted to any details of any foregoing embodiments. The invention extends to any novel one, or novel combination, of the features disclosed in this specification (including any accompanying claims, abstract and drawings), or to any novel one, or any novel combination, of the steps of any method or process so disclosed.
The reader's attention is directed to all papers and documents which are filed concurrently with or previous to this specification in connection with this application and which are open to public inspection with this specification, and the contents of all such papers and documents are incorporated herein by reference.
| Number | Date | Country | Kind |
|---|---|---|---|
| 2209133.4 | Jun 2022 | GB | national |
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/GB2023/051580 | 6/16/2023 | WO |
