Hardware module integrity during
run-time is a critical functional safety requirement. Hardware Redundancy
implemented by the lockstep CPU architecture (two CPUs executing the same function
and the output of the CPUs are continuously compared) is a proven method for
achieving high diagnostic coverage for both permanent and transient faults. The
Lockstep Comparator Module (LCM) is implemented to compare output from the CPU to
detect permanent and transient faults.
The LCM implements the following features:
- Pipelined architecture
- Redundant comparison
- Self-test capability
- Match and mismatch test
- Error forcing capability
- Temporal redundancy: The
operation of the two modules is skewed by two cycles to address the issue of
common cause failures like failure of clock, power, and so on. This makes
sure of temporal redundancy.
- Spatial redundancy: In the
lockstep architecture, module instances are redundantly instantiated and the
outputs are compared. Redundant instantiation provides spatial
redundancy.
- Non-delayed functional output path to provide non-delayed CPU execution for
the system (while still having temporal redundancy).
- Register protection of critical memory mapped registers of the module, using
a parity scheme.
Figure 7-22 shows the LCM block diagram.
Figure 7-22 LCM Block Diagram
Note: The Module described in this
block diagram can be either a CPU (for example, CPU1) or a peripheral (for
example, RTDMA) depending on availability for the device.