Nios® V Processor: Lockstep Implementation

Download PDF
ID 833274
Date 10/07/2024
Public
Document Table of Contents
Document Table of Contents x
1. About the Nios® V Processor Lockstep 2. Overview 3. Controlling the Nios® V Processor Lockstep 4. Programming Model 5. Signals, Interfaces, and Build Parameters 6. Using Nios® V Processor Lock Step A. Document Revision History for the Nios® V Processor: Lockstep Implementation B. Appendix
1. About the Nios® V Processor Lockstep x
1.1. Nios® V Processor Lockstep Features
2. Overview x
2.1. Introduction 2.2. Main Principles 2.3. Operating Modes 2.4. Resets 2.5. LOGS Information
2.2. Main Principles x
2.2.1. System Phases 2.2.2. System States 2.2.3. Safety Mechanisms
2.2.2. System States x
2.2.2.1. Transitioning between System States
2.2.3. Safety Mechanisms x
2.2.3.1. Self-Checking Comparator 2.2.3.2. Timeout Timer 2.2.3.3. Enable Counters 2.2.3.4. Specialized Safety Mechanism
2.3. Operating Modes x
2.3.1. NORMAL and SILENT Modes
2.4. Resets x
2.4.1. Resetting CORE 2.4.2. Resetting OPTIONS 2.4.3. Resetting LOGS 2.4.4. Resetting Time Diversity Register
2.5. LOGS Information x
2.5.1. ALARMS 2.5.2. CONTEXT 2.5.3. STATISTICS 2.5.4. Reset LOGS
2.5.1. ALARMS x
2.5.1.1. Configuring Alarm Severity
3. Controlling the Nios® V Processor Lockstep x
3.1. Configuration Interface 3.2. fRNET Interface 3.3. Controlling the Elective Features
3.3. Controlling the Elective Features x
3.3.1. Applying Timeout and Comparator Blind Window 3.3.2. Injecting Fault 3.3.3. Downloading the CPU Software 3.3.4. Debugging the CPU Software using SILENT Mode 3.3.5. Resetting the CPU upon Fault Detection
3.3.1. Applying Timeout and Comparator Blind Window x
3.3.1.1. Timeout 3.3.1.2. Comparator Blind Window 3.3.1.3. Calculating the Blind Window and Timeout Period
3.3.2. Injecting Fault x
3.3.2.1. Root Fault Injection 3.3.2.2. Alarm Fault Injection
3.3.4. Debugging the CPU Software using SILENT Mode x
3.3.4.1. Entering SILENT Mode 3.3.4.2. SILENT Mode Limitation 3.3.4.3. Exiting SILENT Mode
3.3.5. Resetting the CPU upon Fault Detection x
3.3.5.1. Basic Reset Control
4. Programming Model x
4.1. Memory Map 4.2. Configuring fRSmartComp during Run-time 4.3. Unlocking and Locking Registers 4.4. Detailed Register Description
4.1. Memory Map x
4.1.1. Memory Map—Part 1 4.1.2. Memory Map—Part 2 4.1.3. Memory Map—Part 3
4.4. Detailed Register Description x
4.4.1. DCLSM Blind Window Control Register - DCLSM_BWCR 4.4.2. All Alarms’ Prior Alarms’ Fault Injection Register - ERRCTRL_ALL_ALARMS_PRIOR_AFI 4.4.3. INTREQ Configuration Register - ERRCTRL_INTREQ_CONF 4.4.4. Timeout Deadline and Status Register - ERRCTRL_TIMEOUT 4.4.5. Timeout Acknowledgment Register - ERRCTRL_TIMEOUT_ACK 4.4.6. Enable Key fRSmartComp Control Register - ERRCTRL_ENABLE_KEY 4.4.7. Root Fault Injection Control register - ERRCTRL_ROOT_INJ 4.4.8. Alarm Fault Injection Control register - ERRCTRL_ALARM_INJ 4.4.9. Event Mask Configuration register - ERRCTRL_MASKA and ERRCTRL_MASKB 4.4.10. Alarm Routing Configuration register - ERRCTRL_ROUTA and ERRCTRL_ROUTB 4.4.11. Error Controller PGO LOG Reset Control register - ERRCTRL_PGOLOGRST 4.4.12. PGO0 and PGO4 Configuration registers - ERRCTRL_PGO0 and ERRCTRL_PGO4 4.4.13. FN_MODEIN Control Register - ERRCTRL_FNMODEIN 4.4.14. FN_MODEOUT register - ERRCTRL_FNMODEOUT 4.4.15. All Alarms After Fault Injection - ERRCTRL_FNGIALARMS 4.4.16. Error Controller Context Register - ERRCTRL_FNGICTXT4 4.4.17. CMP Mismatch CONTEXT Registers - ERRCTRL_FNGICMPCTXT0 … ERRCTRL_FNGICMPCTXT3 4.4.18. STATISTICS registers: ERRCTRL_FNGISTAT0 and ERRCTRL_FNGISTAT4 4.4.19. State register - ERRCTRL_FNPERIPHGI4
5. Signals, Interfaces, and Build Parameters x
5.1. Configuration Interface 5.2. System Interface 5.3. fRNET Interface 5.4. IP Parameters
5.3. fRNET Interface x
5.3.1. CONFIG 5.3.2. INFO
6. Using Nios® V Processor Lock Step x
6.1. Instantiating Lockstep-Enabled Processor 6.2. Connecting Signals and Interfaces 6.3. Compiling Design 6.4. Implementing Startup Procedure 6.5. Applying Optional Injection for Validation 6.6. Detecting Faults 6.7. Handling Faults (Safety Use Case)
6.2. Connecting Signals and Interfaces x
6.2.1. Connecting Clock and Reset 6.2.2. Connecting Configuration Interface 6.2.3. Connecting System Interface
6.2.1. Connecting Clock and Reset x
6.2.1.1. Clock 6.2.1.2. Reset
6.2.3. Connecting System Interface x
6.2.3.1. Asynchronous Reset Interface 6.2.3.2. CPU Halt and Restart Acknowledgment Interface 6.2.3.3. Silent Mode Interface 6.2.3.4. Output Qualification (TERMS_LEFT and TERMS_RIGHT) 6.2.3.5. Interrupt Request (INTREQ) 6.2.3.6. ALARMS Interfaces 6.2.3.7. Connecting fRNET Interface
6.7. Handling Faults (Safety Use Case) x
6.7.1. UC_01: Standard Fail Safe or No Availability 6.7.2. UC_02: False Positive Avoidance 6.7.3. UC_03: Timeout on System Reset or After Fault Detection
1. About the Nios® V Processor Lockstep
2. Overview
3. Controlling the Nios® V Processor Lockstep
4. Programming Model
5. Signals, Interfaces, and Build Parameters
6. Using Nios® V Processor Lock Step
A. Document Revision History for the Nios® V Processor: Lockstep Implementation
B. Appendix

2.2.1. System Phases

Figure 5. System Phases and Timing Relationship
Table 3.  System Phases and Timing Relationship
System Phases Description Timing Relationship
Detection

The self–checking comparator detects a fault in one of the two Nios® V processor CPUs or the fRSmartComp itself.

Detection Time Interval (DTI)
  • Related to faults occurring in the CPUs in the order of various clock cycles (≤5).
  • The time between the fault exiting the CPU (CPU boundary) and the fRSmartComp alarm generation.
Insulation

The subsystem composed of the two Nios® V processor CPUs and the fRSmartComp is optionally isolated from the rest of the integrated circuit. The CPUs are put in halt debug mode, stopping the execution of the application software. This may be performed to prevent data contamination toward the rest of the system.

Insulation Time Internal (ISTI)
  • The time between the fRSmartComp alarm generation and the Nios® V processor subsystem isolation.
Repair

The fRSmartComp performs actions (with the System Supervisor) implementing failure-control scenarios to recover the system from a faulty state.

Repair Time Interval (RTI)
  • Enforced within the fRSmartComp with a timeout-checking mechanism to control the duration of recovery actions.
  • The timeout ensures that a faulty condition never prevents the application from executing the planned failure control actions. Should the timeout expire, an alarm may eventually be fired.

The fRSmartComp provides the following functions to support the abilities described above:

  • CPU Fault detection: Comparators detecting improper behavior of the processors.
  • Timeout: The fRSmartComp checks for the correct evolution of the system. For instance, checks for System Supervisor access on fRSmartComp:
    • After asynchronous reset within a specific time.
    • After alarm generation within a specific time.
  • Counters: The fRSmartComp checks for the number of fRSmartComp restarts done in a specific time frame to avoid “endless loops” problems.
  • Specialized safety mechanisms: Diagnose latent faults internal to the fRSmartComp.

After fault detection, the fRSmartComp can execute programmable actions (i.e., issue interrupt to the System Supervisor). Upon receiving the interrupt, the system supervisor can carry out the failure control actions.

The following figure schematically represents the high-level process governing the fRSmartComp from the beginning of the first activation (after reset) to when it passes the control to the system Supervisor and goes into an inactive functional state. After an alarm generation, you must explicitly restart the fRSmartComp using the System Supervisor. It is crucial that the System Supervisor always have full control over the fRSmartComp.

The fRSmartComp is in “ON-LINE” mode until it detects an error and generates an alarm. After that, it transitions into “OFF-LINE” mode, implementing a failure control action (either asserting a safe state or executing a restart).

Figure 6. High-level Process of fRSmartComp
Level Two Title