Nios® V Processor: Lockstep Implementation

Download PDF
ID 833274
Date 10/07/2024
Public
Document Table of Contents
Document Table of Contents x
1. About the Nios® V Processor Lockstep 2. Overview 3. Controlling the Nios® V Processor Lockstep 4. Programming Model 5. Signals, Interfaces, and Build Parameters 6. Using Nios® V Processor Lock Step A. Document Revision History for the Nios® V Processor: Lockstep Implementation B. Appendix
1. About the Nios® V Processor Lockstep x
1.1. Nios® V Processor Lockstep Features
2. Overview x
2.1. Introduction 2.2. Main Principles 2.3. Operating Modes 2.4. Resets 2.5. LOGS Information
2.2. Main Principles x
2.2.1. System Phases 2.2.2. System States 2.2.3. Safety Mechanisms
2.2.2. System States x
2.2.2.1. Transitioning between System States
2.2.3. Safety Mechanisms x
2.2.3.1. Self-Checking Comparator 2.2.3.2. Timeout Timer 2.2.3.3. Enable Counters 2.2.3.4. Specialized Safety Mechanism
2.3. Operating Modes x
2.3.1. NORMAL and SILENT Modes
2.4. Resets x
2.4.1. Resetting CORE 2.4.2. Resetting OPTIONS 2.4.3. Resetting LOGS 2.4.4. Resetting Time Diversity Register
2.5. LOGS Information x
2.5.1. ALARMS 2.5.2. CONTEXT 2.5.3. STATISTICS 2.5.4. Reset LOGS
2.5.1. ALARMS x
2.5.1.1. Configuring Alarm Severity
3. Controlling the Nios® V Processor Lockstep x
3.1. Configuration Interface 3.2. fRNET Interface 3.3. Controlling the Elective Features
3.3. Controlling the Elective Features x
3.3.1. Applying Timeout and Comparator Blind Window 3.3.2. Injecting Fault 3.3.3. Downloading the CPU Software 3.3.4. Debugging the CPU Software using SILENT Mode 3.3.5. Resetting the CPU upon Fault Detection
3.3.1. Applying Timeout and Comparator Blind Window x
3.3.1.1. Timeout 3.3.1.2. Comparator Blind Window 3.3.1.3. Calculating the Blind Window and Timeout Period
3.3.2. Injecting Fault x
3.3.2.1. Root Fault Injection 3.3.2.2. Alarm Fault Injection
3.3.4. Debugging the CPU Software using SILENT Mode x
3.3.4.1. Entering SILENT Mode 3.3.4.2. SILENT Mode Limitation 3.3.4.3. Exiting SILENT Mode
3.3.5. Resetting the CPU upon Fault Detection x
3.3.5.1. Basic Reset Control
4. Programming Model x
4.1. Memory Map 4.2. Configuring fRSmartComp during Run-time 4.3. Unlocking and Locking Registers 4.4. Detailed Register Description
4.1. Memory Map x
4.1.1. Memory Map—Part 1 4.1.2. Memory Map—Part 2 4.1.3. Memory Map—Part 3
4.4. Detailed Register Description x
4.4.1. DCLSM Blind Window Control Register - DCLSM_BWCR 4.4.2. All Alarms’ Prior Alarms’ Fault Injection Register - ERRCTRL_ALL_ALARMS_PRIOR_AFI 4.4.3. INTREQ Configuration Register - ERRCTRL_INTREQ_CONF 4.4.4. Timeout Deadline and Status Register - ERRCTRL_TIMEOUT 4.4.5. Timeout Acknowledgment Register - ERRCTRL_TIMEOUT_ACK 4.4.6. Enable Key fRSmartComp Control Register - ERRCTRL_ENABLE_KEY 4.4.7. Root Fault Injection Control register - ERRCTRL_ROOT_INJ 4.4.8. Alarm Fault Injection Control register - ERRCTRL_ALARM_INJ 4.4.9. Event Mask Configuration register - ERRCTRL_MASKA and ERRCTRL_MASKB 4.4.10. Alarm Routing Configuration register - ERRCTRL_ROUTA and ERRCTRL_ROUTB 4.4.11. Error Controller PGO LOG Reset Control register - ERRCTRL_PGOLOGRST 4.4.12. PGO0 and PGO4 Configuration registers - ERRCTRL_PGO0 and ERRCTRL_PGO4 4.4.13. FN_MODEIN Control Register - ERRCTRL_FNMODEIN 4.4.14. FN_MODEOUT register - ERRCTRL_FNMODEOUT 4.4.15. All Alarms After Fault Injection - ERRCTRL_FNGIALARMS 4.4.16. Error Controller Context Register - ERRCTRL_FNGICTXT4 4.4.17. CMP Mismatch CONTEXT Registers - ERRCTRL_FNGICMPCTXT0 … ERRCTRL_FNGICMPCTXT3 4.4.18. STATISTICS registers: ERRCTRL_FNGISTAT0 and ERRCTRL_FNGISTAT4 4.4.19. State register - ERRCTRL_FNPERIPHGI4
5. Signals, Interfaces, and Build Parameters x
5.1. Configuration Interface 5.2. System Interface 5.3. fRNET Interface 5.4. IP Parameters
5.3. fRNET Interface x
5.3.1. CONFIG 5.3.2. INFO
6. Using Nios® V Processor Lock Step x
6.1. Instantiating Lockstep-Enabled Processor 6.2. Connecting Signals and Interfaces 6.3. Compiling Design 6.4. Implementing Startup Procedure 6.5. Applying Optional Injection for Validation 6.6. Detecting Faults 6.7. Handling Faults (Safety Use Case)
6.2. Connecting Signals and Interfaces x
6.2.1. Connecting Clock and Reset 6.2.2. Connecting Configuration Interface 6.2.3. Connecting System Interface
6.2.1. Connecting Clock and Reset x
6.2.1.1. Clock 6.2.1.2. Reset
6.2.3. Connecting System Interface x
6.2.3.1. Asynchronous Reset Interface 6.2.3.2. CPU Halt and Restart Acknowledgment Interface 6.2.3.3. Silent Mode Interface 6.2.3.4. Output Qualification (TERMS_LEFT and TERMS_RIGHT) 6.2.3.5. Interrupt Request (INTREQ) 6.2.3.6. ALARMS Interfaces 6.2.3.7. Connecting fRNET Interface
6.7. Handling Faults (Safety Use Case) x
6.7.1. UC_01: Standard Fail Safe or No Availability 6.7.2. UC_02: False Positive Avoidance 6.7.3. UC_03: Timeout on System Reset or After Fault Detection
1. About the Nios® V Processor Lockstep
2. Overview
3. Controlling the Nios® V Processor Lockstep
4. Programming Model
5. Signals, Interfaces, and Build Parameters
6. Using Nios® V Processor Lock Step
A. Document Revision History for the Nios® V Processor: Lockstep Implementation
B. Appendix

2.2.3.1. Self-Checking Comparator

This safety mechanism flags if the two CPUs behave differently by comparing their outputs every clock cycle. It is like the traditional comparator used in a standard DCLS. The comparator also includes time diversity features; the two CPUs work two clock cycles apart (the Agent CPU is two clock cycles behind the Host CPU). In addition, the comparator is duplicated to ensure the detection of faults that may be affecting the comparator itself.
Figure 8. Self-Checking Comparator
The fRSmartComp consists of the following comparators:
  1. Main comparator—combinatorial comparator comparing all the CPU outputs at each clock cycle.
  2. Second comparator—combinatorial comparator comparing all the CPU outputs at each clock cycle as redundancy.
  3. Self-diagnostic comparator-time-multiplexed comparator, activated after a detection mismatch between the Main and Second comparators. Requires a maximum of 64 clock cycles since the comparator mismatch.
Table 5.  Mismatch Events and Outcome
No Mismatch Event Outcome
Main Second Self-diagnostics
1 - - N/A No mismatch detected.
2 N/A

Detects mismatch in the Main and Second comparator. Thus, both comparators agree.

  • Activates ALARM0 or ALARM1 (based on DISABLED state).
3 - -

Detects mismatch in either the Main or Second comparator. Thus, both comparators disagree and initiate a Self-diagnostic comparator.

No mismatch was detected by the Self-diagnostic comparator. The fault is from fRSmartComp.

  • Activates ALARM0 or ALARM1 (based on DISABLED state).
  • Activates ALARM2.
  • Activates ALARM3.
- -
4 -

Detects mismatch in either the Main or Second comparator. Thus, both comparators disagree and initiate a Self-diagnostic comparator.

Detects mismatch in Self-diagnostic comparator. The fault is from fRSmartComp and CPU.

  • Activates ALARM0 or ALARM1 (based on DISABLED state).
  • Activates ALARM2.
  • Activates ALARM4
-

As shown in the above table, the comparators generate five different alarms to allow maximum usage flexibility. After initiating a comparator self-detection, if the fRSmartComp is not in a DISABLED state, the System Supervisor waits until the end of the self-diagnostic comparison is completed by polling ALARM3 and ALARM4, as either is generated.

The system supervisor can use the configurable severity feature (refer to the topic Configuring Alarm Severity) to implement several failure control strategies. For example, ALARM3 can be classified as a WARNING, while ALARM4 can be classified as an ERROR.

Figure 9. Timing Diagram (Mismatch Event 3)

The fRSmartComp comparators utilize the concept of "comparator slice." Each comparator slice consists of a group of Nios® V processor outputs to be compared, with each Nios® V processor output being associated with a single comparator slice.

The comparator functionality allows Fault Injection to be performed on a selected programmable comparator slice, refer to the topic Injecting Fault. Whenever fRSmartComp detects a comparator mismatch, it provides the ID of the slices that produced it.

Related Information
Level Two Title