Nios® V Processor: Lockstep Implementation

Download PDF
ID 833274
Date 10/07/2024
Public
Document Table of Contents
Document Table of Contents x
1. About the Nios® V Processor Lockstep 2. Overview 3. Controlling the Nios® V Processor Lockstep 4. Programming Model 5. Signals, Interfaces, and Build Parameters 6. Using Nios® V Processor Lock Step A. Document Revision History for the Nios® V Processor: Lockstep Implementation B. Appendix
1. About the Nios® V Processor Lockstep x
1.1. Nios® V Processor Lockstep Features
2. Overview x
2.1. Introduction 2.2. Main Principles 2.3. Operating Modes 2.4. Resets 2.5. LOGS Information
2.2. Main Principles x
2.2.1. System Phases 2.2.2. System States 2.2.3. Safety Mechanisms
2.2.2. System States x
2.2.2.1. Transitioning between System States
2.2.3. Safety Mechanisms x
2.2.3.1. Self-Checking Comparator 2.2.3.2. Timeout Timer 2.2.3.3. Enable Counters 2.2.3.4. Specialized Safety Mechanism
2.3. Operating Modes x
2.3.1. NORMAL and SILENT Modes
2.4. Resets x
2.4.1. Resetting CORE 2.4.2. Resetting OPTIONS 2.4.3. Resetting LOGS 2.4.4. Resetting Time Diversity Register
2.5. LOGS Information x
2.5.1. ALARMS 2.5.2. CONTEXT 2.5.3. STATISTICS 2.5.4. Reset LOGS
2.5.1. ALARMS x
2.5.1.1. Configuring Alarm Severity
3. Controlling the Nios® V Processor Lockstep x
3.1. Configuration Interface 3.2. fRNET Interface 3.3. Controlling the Elective Features
3.3. Controlling the Elective Features x
3.3.1. Applying Timeout and Comparator Blind Window 3.3.2. Injecting Fault 3.3.3. Downloading the CPU Software 3.3.4. Debugging the CPU Software using SILENT Mode 3.3.5. Resetting the CPU upon Fault Detection
3.3.1. Applying Timeout and Comparator Blind Window x
3.3.1.1. Timeout 3.3.1.2. Comparator Blind Window 3.3.1.3. Calculating the Blind Window and Timeout Period
3.3.2. Injecting Fault x
3.3.2.1. Root Fault Injection 3.3.2.2. Alarm Fault Injection
3.3.4. Debugging the CPU Software using SILENT Mode x
3.3.4.1. Entering SILENT Mode 3.3.4.2. SILENT Mode Limitation 3.3.4.3. Exiting SILENT Mode
3.3.5. Resetting the CPU upon Fault Detection x
3.3.5.1. Basic Reset Control
4. Programming Model x
4.1. Memory Map 4.2. Configuring fRSmartComp during Run-time 4.3. Unlocking and Locking Registers 4.4. Detailed Register Description
4.1. Memory Map x
4.1.1. Memory Map—Part 1 4.1.2. Memory Map—Part 2 4.1.3. Memory Map—Part 3
4.4. Detailed Register Description x
4.4.1. DCLSM Blind Window Control Register - DCLSM_BWCR 4.4.2. All Alarms’ Prior Alarms’ Fault Injection Register - ERRCTRL_ALL_ALARMS_PRIOR_AFI 4.4.3. INTREQ Configuration Register - ERRCTRL_INTREQ_CONF 4.4.4. Timeout Deadline and Status Register - ERRCTRL_TIMEOUT 4.4.5. Timeout Acknowledgment Register - ERRCTRL_TIMEOUT_ACK 4.4.6. Enable Key fRSmartComp Control Register - ERRCTRL_ENABLE_KEY 4.4.7. Root Fault Injection Control register - ERRCTRL_ROOT_INJ 4.4.8. Alarm Fault Injection Control register - ERRCTRL_ALARM_INJ 4.4.9. Event Mask Configuration register - ERRCTRL_MASKA and ERRCTRL_MASKB 4.4.10. Alarm Routing Configuration register - ERRCTRL_ROUTA and ERRCTRL_ROUTB 4.4.11. Error Controller PGO LOG Reset Control register - ERRCTRL_PGOLOGRST 4.4.12. PGO0 and PGO4 Configuration registers - ERRCTRL_PGO0 and ERRCTRL_PGO4 4.4.13. FN_MODEIN Control Register - ERRCTRL_FNMODEIN 4.4.14. FN_MODEOUT register - ERRCTRL_FNMODEOUT 4.4.15. All Alarms After Fault Injection - ERRCTRL_FNGIALARMS 4.4.16. Error Controller Context Register - ERRCTRL_FNGICTXT4 4.4.17. CMP Mismatch CONTEXT Registers - ERRCTRL_FNGICMPCTXT0 … ERRCTRL_FNGICMPCTXT3 4.4.18. STATISTICS registers: ERRCTRL_FNGISTAT0 and ERRCTRL_FNGISTAT4 4.4.19. State register - ERRCTRL_FNPERIPHGI4
5. Signals, Interfaces, and Build Parameters x
5.1. Configuration Interface 5.2. System Interface 5.3. fRNET Interface 5.4. IP Parameters
5.3. fRNET Interface x
5.3.1. CONFIG 5.3.2. INFO
6. Using Nios® V Processor Lock Step x
6.1. Instantiating Lockstep-Enabled Processor 6.2. Connecting Signals and Interfaces 6.3. Compiling Design 6.4. Implementing Startup Procedure 6.5. Applying Optional Injection for Validation 6.6. Detecting Faults 6.7. Handling Faults (Safety Use Case)
6.2. Connecting Signals and Interfaces x
6.2.1. Connecting Clock and Reset 6.2.2. Connecting Configuration Interface 6.2.3. Connecting System Interface
6.2.1. Connecting Clock and Reset x
6.2.1.1. Clock 6.2.1.2. Reset
6.2.3. Connecting System Interface x
6.2.3.1. Asynchronous Reset Interface 6.2.3.2. CPU Halt and Restart Acknowledgment Interface 6.2.3.3. Silent Mode Interface 6.2.3.4. Output Qualification (TERMS_LEFT and TERMS_RIGHT) 6.2.3.5. Interrupt Request (INTREQ) 6.2.3.6. ALARMS Interfaces 6.2.3.7. Connecting fRNET Interface
6.7. Handling Faults (Safety Use Case) x
6.7.1. UC_01: Standard Fail Safe or No Availability 6.7.2. UC_02: False Positive Avoidance 6.7.3. UC_03: Timeout on System Reset or After Fault Detection
1. About the Nios® V Processor Lockstep
2. Overview
3. Controlling the Nios® V Processor Lockstep
4. Programming Model
5. Signals, Interfaces, and Build Parameters
6. Using Nios® V Processor Lock Step
A. Document Revision History for the Nios® V Processor: Lockstep Implementation
B. Appendix

6.7.2. UC_02: False Positive Avoidance

Self-diagnostic is specialized logic that detects faults from the fRSmartComp comparator. It is provided inside the fRSmartComp itself, with the aim of discriminating comparator true errors from the CPUs or the comparator itself.

You can detect “false positive” signaling flagged by fRSmartComp and decide, according to the specific applications, whether to continue running the application software for a certain time, using the primary CPU, or guarantee some basic functionality to the system.

The discrimination of a false error from a true error is achieved by means of ALARM3 and ALARM4 provided by the fRSmartComp:

  • ALARM3 – Categorized as a WARNING due to the faults being determined as a false positive (false error). It originated from fRSmartComp.
  • ALARM4 – Categorized as ERROR due to the faults is determined as true positive (true error). It originated from either fRSmartComp or CPUs.

As described in the topic Functionality of Self-Checking Comparator, the fRSmartComp generates both ALARM1 and ALARM2 before the self-diagnostic begins. The System Supervisor manages these alarms to decide which level of failure control to apply with respect to the specific application safety requirements.

Altera recommends to introduce an INTREQ-driven routine for the System Supervisor alarm management. Example of the INTREQ-driven routine:

  1. Upon INTREQ, the System Supervisor polls for the fRSmartComp self-diagnostic results (ALARM3 and ALARM4).
  2. If ALARM3 is activated:
    1. The fault is in fRSmartComp.
    2. The System Supervisor restarts the fRSmartComp.
    3. The Host CPU can proceed with its application.
  3. If ALARM4 is activated:
    1. The fault is in both CPUs and fRSmartComp.
    2. The fault is categorized as ERROR by fRSmartComp.
    3. fRSmartComp sets the primary OKNOK output to NOT_OK.
    4. System Supervisor uses the NOT_OK status to put the system in safe state.
    5. The system is permanently kept in safe state mode.

To simplify the flow diagram, the following fRSmartComp configurations are grouped and labeled as CONF_2:

  • To configure ALARM severity:
    1. Set ALARM1 to WARNING
    2. Set ALARM2 to WARNING
    3. Set ALARM3 to WARNING
    4. Set ALARM4 to ERROR
    5. Set ALARM16 to ERROR
    6. Set ALARM18 to ERROR
  • If INTREQ signal is used, set INTREQ configuration as 6’b011001 to generate interrupt upon WARNING.
Figure 26. False Positive Avoidance Flowchart Diagram
Level Two Title