Nios® V Processor: Lockstep Implementation

Download PDF
ID 833274
Date 10/07/2024
Public
Document Table of Contents
Document Table of Contents x
1. About the Nios® V Processor Lockstep 2. Overview 3. Controlling the Nios® V Processor Lockstep 4. Programming Model 5. Signals, Interfaces, and Build Parameters 6. Using Nios® V Processor Lock Step A. Document Revision History for the Nios® V Processor: Lockstep Implementation B. Appendix
1. About the Nios® V Processor Lockstep x
1.1. Nios® V Processor Lockstep Features
2. Overview x
2.1. Introduction 2.2. Main Principles 2.3. Operating Modes 2.4. Resets 2.5. LOGS Information
2.2. Main Principles x
2.2.1. System Phases 2.2.2. System States 2.2.3. Safety Mechanisms
2.2.2. System States x
2.2.2.1. Transitioning between System States
2.2.3. Safety Mechanisms x
2.2.3.1. Self-Checking Comparator 2.2.3.2. Timeout Timer 2.2.3.3. Enable Counters 2.2.3.4. Specialized Safety Mechanism
2.3. Operating Modes x
2.3.1. NORMAL and SILENT Modes
2.4. Resets x
2.4.1. Resetting CORE 2.4.2. Resetting OPTIONS 2.4.3. Resetting LOGS 2.4.4. Resetting Time Diversity Register
2.5. LOGS Information x
2.5.1. ALARMS 2.5.2. CONTEXT 2.5.3. STATISTICS 2.5.4. Reset LOGS
2.5.1. ALARMS x
2.5.1.1. Configuring Alarm Severity
3. Controlling the Nios® V Processor Lockstep x
3.1. Configuration Interface 3.2. fRNET Interface 3.3. Controlling the Elective Features
3.3. Controlling the Elective Features x
3.3.1. Applying Timeout and Comparator Blind Window 3.3.2. Injecting Fault 3.3.3. Downloading the CPU Software 3.3.4. Debugging the CPU Software using SILENT Mode 3.3.5. Resetting the CPU upon Fault Detection
3.3.1. Applying Timeout and Comparator Blind Window x
3.3.1.1. Timeout 3.3.1.2. Comparator Blind Window 3.3.1.3. Calculating the Blind Window and Timeout Period
3.3.2. Injecting Fault x
3.3.2.1. Root Fault Injection 3.3.2.2. Alarm Fault Injection
3.3.4. Debugging the CPU Software using SILENT Mode x
3.3.4.1. Entering SILENT Mode 3.3.4.2. SILENT Mode Limitation 3.3.4.3. Exiting SILENT Mode
3.3.5. Resetting the CPU upon Fault Detection x
3.3.5.1. Basic Reset Control
4. Programming Model x
4.1. Memory Map 4.2. Configuring fRSmartComp during Run-time 4.3. Unlocking and Locking Registers 4.4. Detailed Register Description
4.1. Memory Map x
4.1.1. Memory Map—Part 1 4.1.2. Memory Map—Part 2 4.1.3. Memory Map—Part 3
4.4. Detailed Register Description x
4.4.1. DCLSM Blind Window Control Register - DCLSM_BWCR 4.4.2. All Alarms’ Prior Alarms’ Fault Injection Register - ERRCTRL_ALL_ALARMS_PRIOR_AFI 4.4.3. INTREQ Configuration Register - ERRCTRL_INTREQ_CONF 4.4.4. Timeout Deadline and Status Register - ERRCTRL_TIMEOUT 4.4.5. Timeout Acknowledgment Register - ERRCTRL_TIMEOUT_ACK 4.4.6. Enable Key fRSmartComp Control Register - ERRCTRL_ENABLE_KEY 4.4.7. Root Fault Injection Control register - ERRCTRL_ROOT_INJ 4.4.8. Alarm Fault Injection Control register - ERRCTRL_ALARM_INJ 4.4.9. Event Mask Configuration register - ERRCTRL_MASKA and ERRCTRL_MASKB 4.4.10. Alarm Routing Configuration register - ERRCTRL_ROUTA and ERRCTRL_ROUTB 4.4.11. Error Controller PGO LOG Reset Control register - ERRCTRL_PGOLOGRST 4.4.12. PGO0 and PGO4 Configuration registers - ERRCTRL_PGO0 and ERRCTRL_PGO4 4.4.13. FN_MODEIN Control Register - ERRCTRL_FNMODEIN 4.4.14. FN_MODEOUT register - ERRCTRL_FNMODEOUT 4.4.15. All Alarms After Fault Injection - ERRCTRL_FNGIALARMS 4.4.16. Error Controller Context Register - ERRCTRL_FNGICTXT4 4.4.17. CMP Mismatch CONTEXT Registers - ERRCTRL_FNGICMPCTXT0 … ERRCTRL_FNGICMPCTXT3 4.4.18. STATISTICS registers: ERRCTRL_FNGISTAT0 and ERRCTRL_FNGISTAT4 4.4.19. State register - ERRCTRL_FNPERIPHGI4
5. Signals, Interfaces, and Build Parameters x
5.1. Configuration Interface 5.2. System Interface 5.3. fRNET Interface 5.4. IP Parameters
5.3. fRNET Interface x
5.3.1. CONFIG 5.3.2. INFO
6. Using Nios® V Processor Lock Step x
6.1. Instantiating Lockstep-Enabled Processor 6.2. Connecting Signals and Interfaces 6.3. Compiling Design 6.4. Implementing Startup Procedure 6.5. Applying Optional Injection for Validation 6.6. Detecting Faults 6.7. Handling Faults (Safety Use Case)
6.2. Connecting Signals and Interfaces x
6.2.1. Connecting Clock and Reset 6.2.2. Connecting Configuration Interface 6.2.3. Connecting System Interface
6.2.1. Connecting Clock and Reset x
6.2.1.1. Clock 6.2.1.2. Reset
6.2.3. Connecting System Interface x
6.2.3.1. Asynchronous Reset Interface 6.2.3.2. CPU Halt and Restart Acknowledgment Interface 6.2.3.3. Silent Mode Interface 6.2.3.4. Output Qualification (TERMS_LEFT and TERMS_RIGHT) 6.2.3.5. Interrupt Request (INTREQ) 6.2.3.6. ALARMS Interfaces 6.2.3.7. Connecting fRNET Interface
6.7. Handling Faults (Safety Use Case) x
6.7.1. UC_01: Standard Fail Safe or No Availability 6.7.2. UC_02: False Positive Avoidance 6.7.3. UC_03: Timeout on System Reset or After Fault Detection Timeout on System Reset Exit Timeout after Fault Detection
1. About the Nios® V Processor Lockstep
2. Overview
3. Controlling the Nios® V Processor Lockstep
4. Programming Model
5. Signals, Interfaces, and Build Parameters
6. Using Nios® V Processor Lock Step
A. Document Revision History for the Nios® V Processor: Lockstep Implementation
B. Appendix

6.7.3. UC_03: Timeout on System Reset or After Fault Detection

The fRSmartComp programmable Timeout feature allows the following use cases. Examples of timeout can be found in the previous Use Cases’ flowchart.

Timeout on System Reset Exit

After the asynchronous system reset, a severe alarm (OKNOK) is generated if:

  • System Supervisor does not send timeout acknowledgment to fRSmartComp, or
  • fRSmartComp does not receive timeout acknowledgment from System Supervisor.

Both sender and receiver have to put in a safe state because:

  • Either side might be stuck, or
  • It is unable to operate due to different fault causes.

This scenario adds an additional mechanism to the standard external watchdog, which is not active after the reset, thus improving robustness.

Timeout after Fault Detection

After a fault detection (entering FCS state), a severe alarm (OKNOK) is generated on the expiration of a timeout, indicating that the System Supervisor is unable to access the fRSmartComp anymore.

Level Two Title