KR102738225B1 - Triple module control apparatus with reliability verification function - Google Patents

Abstract

The present invention relates to a triple module control device having a reliability verification function, and more particularly, to a triple module control device including three RISC-V-based processors, and having a reliability verification function for detecting a stage block in which an error has occurred in a pipeline structure of a processor in which an error has occurred among the three processors, and restoring the function of the block in which the error has occurred through an eFPGA to ensure operational stability and reliability. The present invention supports, in a triple-module control device including three RISC-V-based processor units, the detection of whether an error has occurred at each stage according to a pipeline structure of a verification target processor unit whose instruction execution result is inconsistent with the remaining processor units, and, at the same time, ensuring the continuity and stability of the triple-module control device by maintaining the operation of the remaining processor units when verifying whether an error has occurred in the verification target processor unit, and, if no error is detected in the verification target processor unit, the detection of whether an error has occurred at each stage for the remaining processor units is performed, thereby accurately and quickly specifying the processor unit in which an error has occurred among the three processor units, thereby stopping the use of the processor unit in which the error has occurred and operating only the normal processor unit, thereby preventing the propagation of an error in a device or system to which the triple-module control device is applied, ensuring stability and reliability, and ensuring stable operation continuity of the device or system.

Description

Triple module control apparatus with reliability verification function {Triple module control apparatus with reliability verification function}

The present invention relates to a triple module control device having a reliability verification function, and more particularly, to a triple module control device including three RISC-V-based processors, and having a reliability verification function for detecting a stage block in which an error has occurred in a pipeline structure of a processor in which an error has occurred among the three processors, and restoring the function of the block in which the error has occurred through an eFPGA to ensure operational stability and reliability.

The RISC-V processor is an open-source instruction set architecture (ISA) that uses the RISC (Reduced Instruction Set Computer) method, and unlike other similar commercial central processing units (CPUs), it is open for free use.

Recently, these computing devices are being used as semiconductors for high-performance devices such as automobiles and aerospace aircraft. These high-performance devices may experience fatal problems if the operation of the computing devices stops or errors occur, so the stable operation and reliability of the computing devices are becoming more important issues than ever.

In particular, the computing devices used in spacecraft can be exposed to harsh conditions such as cosmic radiation, and cosmic radiation such as heavy particles can damage the processors of the computing devices. According to recent studies, the possibility of damage from cosmic radiation has been reported, although the probability is very low, in automotive control function semiconductors, and in order to improve this situation, global semiconductor manufacturers are adopting DMR (Dual Modula Redundancy) and TMR (Triple Modula Redundancy) structures based on automotive processors. Research is actively being conducted to secure the stability of computing devices in this way.

Currently, in order to secure the stability and reliability of these computing devices, the computing devices have a structure that includes multiple processors, and in the event of an error in one processor, the functions of the computing device are maintained through the remaining processors.

For example, as illustrated in FIG. 1, a conventional computing device may include three processors, and has a structure in which the function of the computing device is maintained through the remaining two processors when an error occurs in one processor. In this triple module structure, a comparison unit is configured internally so that the execution results for the same instruction in each of the three processors can be compared with each other. Accordingly, when the execution result of one of the three processors does not match the rest, it is determined that an error has occurred in the processor, and the use of the specific processor whose execution result does not match the rest is stopped, and the function of the computing device can be maintained through the remaining two processors.

However, there is a problem in that it is impossible to accurately identify which processor among multiple processors has the error based on simple execution result inconsistencies.

That is, there may be cases where a specific processor whose execution result is inconsistent with the rest of the processors is normal and the rest of the processors are abnormal. However, the existing computing device may overlook this and stop using the specific processor, which may cause the computing device to continuously malfunction.

In addition, the existing reliability processor module structure can only detect errors by adding external logic that can detect whether a specific processor error occurs in multiple processor operations as described above, and there is no means to restore the error. This causes a problem that a separate hardware configuration for error restoration of the processor must be added, and this hardware configuration has a problem that it does not conform to the recent trend of requiring miniaturization of the computing device.

Accordingly, it is difficult to ensure the stability and reliability of the computing device by only comparing the execution results of multiple processors constituting the computing device and operating only the remaining processors, excluding one processor whose execution results do not match, and this causes a problem of lowering the stability and reliability of the device using the computing device.

Korean Patent Registration No. 10-2022482

The purpose of the present invention is to support accurately identifying a block in which an error has occurred in the pipeline structure of each processor in a triple-module control device including three RISC-V-based processors, and accurately specifying a processor in which an error has occurred among a plurality of processors based on the identification, and to support restoring the function of the block in which an error has occurred through an eFPGA to ensure the operational stability and reliability of the system.

In addition, the present invention aims to provide a highly reliable control device that can be stably used in error-sensitive fields such as space aircraft and high-performance automobiles, by supporting restoration of a processor by quickly restoring only a specific pipeline stage in which an error has occurred when an error occurs in the processor, thereby maximizing the availability of the device.

According to an embodiment of the present invention, a triple module control device having a reliability verification function, which comprises three RISC-V-based processor units having a pipeline structure composed of a plurality of stage blocks including a patch block, a decode block, an execution block, a memory block, and a rewrite block, and a multiplexing management unit for error verification of the processor units, wherein the patch block, the decode block, and the memory block each have an ECC memory unit that performs error detection and error correction of memory information based on an Error Correcting Code (ECC) to maintain the integrity of memory information for instruction execution, and the multiplexing management unit comprises a verification unit that compares execution results according to instruction execution of the three processor units with each other and verifies whether an error has occurred based on whether the execution results match, a verification operation performing unit that executes an instruction according to a preset instruction set for a verification target processor unit whose instruction execution results among the three processor units do not match those of the remaining processor units when an error has occurred as a result of the verification by the verification unit, and a diagnostic error detection table that is preset to store output information provided by each of the plurality of stage blocks included in the verification target processor unit according to the instruction execution according to the instruction set and instruction execution result information according to the instruction execution by the plurality of stage blocks. By comparison, it can be characterized by including an error detection unit that detects an error occurrence block, which is a stage block in which an error has occurred, and, when the error occurrence block is detected, specifies the processor unit to be verified as the error occurrence processor unit and stops use of the error occurrence processor unit.

As an example related to the present invention, the verification unit may be characterized by stopping the operation of the processor unit identified as the verification target processor unit and maintaining the operation of the remaining processor units other than the verification target processor unit.

As an example related to the present invention, the diagnostic error detection table may be characterized in that, for each of the plurality of stage blocks, expected output information in the case of normal operation is preset for each instruction included in the instruction set, and the error detection unit may be linked to the verification operation performing unit to identify, in the diagnostic error detection table, expected output information preset for a specific instruction of the specific stage block when specific output information is output for a specific instruction in a specific stage block, and compare the identified expected output information with the specific output information to detect whether an error has occurred in the specific stage block based on whether they match, or identify expected execution result information corresponding to the specific instruction in the diagnostic error detection table, and then compare the identified expected execution result information with the instruction execution result information corresponding to the specific instruction to detect whether an error has occurred in the verification target processor based on whether they match.

As an example related to the present invention, the error detection unit may be characterized by comparing the instruction execution result information stored in the register according to the execution of the specific instruction by the plurality of stage blocks with the expected execution result information, and detecting whether an error has occurred in the processor unit to be verified based on whether they match.

As an example related to the present invention, the verification operation execution unit may be characterized in that it causes the verification target processor unit to execute at least one of an arithmetic operation, a logical operation, and a comparison operation according to a first instruction group included in the instruction set, and, in conjunction with the error detection unit, causes the verification target processor unit to execute at least one of a branch operation, a memory read operation, a memory store operation, and a shift operation belonging to a second instruction group included in the instruction set when the error occurrence block is not detected until execution of all instructions belonging to the first instruction group is completed.

As an example related to the present invention, it may be characterized in that the arithmetic operation is ADD, the logical operation is XOR, the comparison operation is SLT, the branch operation is BEQ, the memory read operation is LD, the memory store operation is SB, and the shift operation is SLL.

As an example related to the present invention, the method may further include a memory unit interlocked with the three processor units and the multiplexing management unit, and the verification target processor unit may be characterized by sequentially executing a plurality of instructions included in a set of instructions previously stored in the memory unit under the control of the verification operation performing unit.

As an example related to the present invention, the error detection unit may be characterized in that, if an error occurrence block is not detected as a result of comparing the output information and the instruction execution result information of the processor unit to be verified with the diagnostic error detection table, the error detection unit determines that an error has occurred in the remaining processor units, and in conjunction with the verification unit, activates the operation of the processor unit to be verified while stopping the operation of the remaining processor units, and in conjunction with the verification operation performing unit, executes an instruction according to the instruction set for each of the remaining processor units to detect an error occurrence block in the same manner as the error occurrence block detection process for the processor unit to be verified, and identifies a processor unit in which an error occurrence block is detected among the remaining processor units as an error occurrence processor unit and stops using it.

As an example related to the present invention, the triple module control device may further include an eFPGA unit for restoring a block in which an error has occurred in the error occurrence processor unit, and the multiplexing management unit may further include a restoration unit for generating a restoration block for performing a function of the error occurrence block in the eFPGA unit, transmitting output information of a stage block that transmits output information to the error occurrence block among the plurality of stage blocks to the restoration block, and performing a bypass function for transmitting output information of the restoration block to a stage block that receives output information of the error occurrence block.

As an example related to the present invention, the restoration unit may be characterized in that, when an error occurrence block is detected during execution of an instruction included in the instruction set, the restoration unit, in conjunction with the error detection unit, does not execute subsequent instructions of the instruction set, stops use of an error occurrence processor unit corresponding to the error occurrence block, generates a restoration block corresponding to the error occurrence block, and performs restoration of the error occurrence processor unit to which the error occurrence block belongs.

As an example related to the present invention, the error detection unit may include an interface unit for setting an operating condition for the error detection unit, wherein the error detection unit, when operating under a first operating condition based on input information through the interface unit, causes each of the operating clocks of the remaining processor units excluding the processor unit connected to the recovery block when generating the recovery block to coincide with the operating clock of the processor unit connected to the recovery block, and, when operating under a second operating condition based on the input information, sets the processor unit connected to the recovery block as a spare processor unit when generating the recovery block, and then operates only the remaining processor units excluding the spare processor unit, and when an error occurrence block is detected in at least one of the remaining processor units, activates the spare processor unit and causes the operating clocks of the remaining processor units and the spare processor unit to coincide with each other.

The present invention supports, in a triple-module control device including three RISC-V-based processor units, the detection of whether an error has occurred at each stage according to a pipeline structure of a verification target processor unit whose instruction execution result is inconsistent with the remaining processor units, and, at the same time, ensuring the continuity and stability of the triple-module control device by maintaining the operation of the remaining processor units when verifying whether an error has occurred in the verification target processor unit, and, if no error is detected in the verification target processor unit, the detection of whether an error has occurred at each stage for the remaining processor units is performed, thereby accurately and quickly specifying the processor unit in which an error has occurred among the three processor units, thereby stopping the use of the processor unit in which the error has occurred and operating only the normal processor unit, thereby preventing the propagation of an error in a device or system to which the triple-module control device is applied, ensuring stability and reliability, and ensuring stable operation continuity of the device or system.

In addition, the present invention can restore the processor unit in which an error occurred to a normal state by programming the function of an error occurrence block included in a processor unit in which an error occurred into the eFPGA unit and generating a restoration block, thereby greatly improving the availability of the triple module control device through a dynamic restoration function that can quickly replace only the function in which an error occurred, thereby providing a highly reliable control device that can be used in error-sensitive fields such as aerospace aircraft and high-performance automobiles.

Figure 1 is a block diagram of a computational device including a RISC-V-based processor according to prior art.
FIG. 2 is a configuration diagram of a triple module control device equipped with a reliability verification function according to an embodiment of the present invention.
FIG. 3 is an exemplary operation diagram for pipeline error detection of a triple module control device having a reliability verification function according to an embodiment of the present invention.
FIG. 4 is a flowchart of an error verification method of a triple module control device having a reliability verification function according to an embodiment of the present invention.
FIG. 5 is a flowchart of a restoration method of a triple module control device having a reliability verification function according to an embodiment of the present invention.

It should be noted that the technical terms used in the present invention are only used to describe specific embodiments and are not intended to limit the present invention. In addition, the technical terms used in the present invention should be interpreted as having a meaning generally understood by a person having ordinary skill in the technical field to which the present invention belongs, unless specifically defined to have a different meaning in the present invention, and should not be interpreted in an excessively comprehensive or excessively narrow meaning. In addition, when the technical terms used in the present invention are incorrect technical terms that do not accurately express the idea of the present invention, they should be replaced with technical terms that can be correctly understood by a person skilled in the art and understood. In addition, the general terms used in the present invention should be interpreted as defined in the dictionary or according to the context, and should not be interpreted in an excessively narrow meaning.

In addition, the singular expressions used in the present invention include plural expressions unless the context clearly indicates otherwise. In the present invention, the terms "consisting of" or "comprising" should not be construed as necessarily including all of the various components or various steps described in the invention, and should be construed as not including some of the components or some of the steps, or may further include additional components or steps.

Also, terms including ordinal numbers such as first, second, etc. used in the present invention may be used to describe components, but the components should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from another. For example, without departing from the scope of the present invention, the first component may be referred to as the second component, and similarly, the second component may also be referred to as the first component.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the attached drawings. Regardless of the drawing symbols, identical or similar components are given the same reference numerals and redundant descriptions thereof will be omitted.

In addition, when describing the present invention, if it is judged that a detailed description of a related known technology may obscure the gist of the present invention, the detailed description thereof will be omitted. In addition, it should be noted that the attached drawings are only intended to facilitate easy understanding of the idea of the present invention, and should not be construed as limiting the idea of the present invention by the attached drawings.

Hereinafter, detailed embodiments of the present invention will be described with reference to the drawings.

FIG. 2 is a configuration diagram of a triple module control device (100) (hereinafter, triple module control device (100)) equipped with a reliability verification function according to an embodiment of the present invention.

As described above, a triple module control device (100) according to an embodiment of the present invention may be configured to include a plurality of processor units (120), a multiplexing management unit (130), a memory unit (110), an eFPGA (Embedded FPGA (Field Programmable Gate Array)) unit, etc.

At this time, the plurality of processor units (120) may be composed of three processor units (120), and for example, a first processor unit (120a), a second processor unit (120b), and a third processor unit (120c) may compose the three processor units (120). Here, the first processor unit (120a), the second processor unit (120b), and the third processor unit (120c) may be composed of the same processor having the same internal components.

Hereinafter, the three processor units (120) are referred to as multiple processor units (120).

First, each of the plurality of processor units (120) can perform operations based on information stored in the memory unit (110).

At this time, each of the plurality of processor units (120) may be configured as a RISC (Reduced Instruction Set Computer)-V based processor including a plurality of stage blocks having a pipeline structure.

Additionally, the plurality of stage blocks may be configured to include a fetch block, a decode block, an execute block, a memory block, a write-back block, etc.

In addition, the memory unit (110) may store data to be processed by the processor unit (120), and may also store a command set (diagnostic command set) including one or more commands for error detection of the plurality of processor units (120).

In addition, the multiplexing management unit (130) determines whether an error has occurred based on the instruction execution results for the plurality of processor units, and when an error has occurred, the execution of instructions according to a preset instruction set is controlled for a confirmation target processor unit (120) whose instruction execution results among the plurality of processor units (120) do not match the remaining processor units (120) (other processor units (120)), thereby confirming whether a stage block in which an error has occurred among the plurality of stage blocks forming a pipeline structure in the confirmation target processor unit (120) has been detected, and when detection of an error-occurring stage block in the confirmation target processor unit (120) is confirmed, the confirmation target processor unit (120) is specified as the error-occurring processor unit (120) in which an error has occurred, and the use of the corresponding error-occurring processor unit (120) can be stopped.

At this time, the multiplexing management unit (130) can stop the operation of the processor unit (120) to be verified and then perform a verification operation to detect a stage block in which an error has occurred using a command according to the command set, and the remaining processor units (120) except for the processor unit (120) to be verified can maintain the operating state to maintain the stability and continuity of the triple module control device (100).

In addition, if a stage block in which an error has occurred in the processor unit (120) to be verified is not detected, the multiplexing management unit (130) can determine (judge) that an error has occurred in the remaining processor units (120) excluding the processor unit (120) to be verified, and can operate the processor unit (120) to be verified again and stop the operation of the remaining processor units (120).

In addition, the multiplexing management unit (130) can control the execution of instructions according to a preset instruction set for each of the remaining processor units (120) to detect an error-incurred stage block among the plurality of stage blocks forming a pipeline structure in each processor unit (120).

In addition, the multiplexing management unit (130) can identify the processor unit (120) in which the error occurrence block, which is the stage block in which the error occurred, among the remaining processor units (120) is detected as the error occurrence processor unit (120) and stop the use of the error occurrence processor unit (120).

That is, the multiplexing management unit (130) can stop (suspend) the operation of the error occurrence processor unit (120) according to the suspension of use of the error occurrence processor unit (120).

At this time, the multiplexing management unit (130) can stop the use of all of the remaining processor units (120) if all of the remaining processor units (120) are identified as processor units (120) that have generated an error.

Additionally, the eFPGA unit (140) can be used to restore the stage block in which the error occurred.

As described above, the triple module control device (100) according to the embodiment of the present invention determines whether an error has occurred according to the command execution results for the plurality of processor units (120), and when an error has occurred, priority is given to error detection of the stage block for the processor unit (120) among the plurality of processor units (120) whose command execution results do not match those of the remaining processor units (120), and when no error is detected, the device detects whether an error has occurred in the stage block using a preset command set for the remaining processor units (120), accurately identifies the error-occurring processor unit (120) including the stage block in which the error has been detected, and stops the operation, and during this error detection process, at least one processor unit (120) is allowed to maintain operation, thereby ensuring the stability and reliability of the triple module control device (100) as well as the continuity of operation, and also provides a recovery function for the error-occurring processor by programming the function of the error-occurring block, which is the stage block in which the error has occurred, into the eFPGA unit (140) to generate a recovery block, and then replacing the function of the error-occurring block through the recovery block. Hereinafter, based on the configuration described above, the configuration diagram of the triple module control device (100) according to Fig. 2 and the operation example diagram for pipeline error detection of the triple module control device (100) according to Fig. 3 will be described in detail.

As illustrated, each of the plurality of processor units (120) may include a plurality of stage blocks.

The above multiple stage blocks may include a patch block, a decode block, an execution block, a memory block, and a rewrite block.

When explaining the functions of the above multiple stage blocks, first, the patch block can be configured to include a PC (Program Counter) and an ECC memory unit including a command memory unit and an ECC (Error Correction Code).

The above patch block determines the address of a command to be executed in the memory unit (110) using a PC (Program Counter), and the patch block can read the corresponding command based on this address. In addition, the patch block can transfer memory information including the read command to its own ECC memory unit, perform error checking and error correction processes through the ECC memory unit, and maintain the integrity of the corresponding memory information.

The above patch block can generate output information including command information included in the above memory information and transmit it to the decode block.

In addition, the decode block can interpret the command information received from the patch block through the decoding unit to identify the type of the command, the register to be used, the operation to be performed, etc., and generate output information including internal control information, memory address information, register record information, generation information, etc. based on the identified information and transmit it to the execution block.

At this time, the decode block can detect errors in the memory information generated in the process of generating the output information through the ECC memory unit included in the decode block, and correct errors when necessary to maintain the integrity of the memory information.

In addition, the execution block can perform an operation through an ALU (Arithmetic Logic Unit) using output information received from the decode block, and generate output information including control information, operation result information, etc. based on the operation result of the ALU, and transmit the output information to the memory block.

Additionally, the memory block can interact with the memory unit (110) based on output information received from the execution block.

For example, the memory block can read a value from the memory unit (110) or write data to a specific address of the memory unit (110) based on output information received from the execution block.

In addition, the memory block can detect and correct errors using the ECC memory unit configured in the memory block for memory information generated in the process of interacting with the memory unit (110), thereby maintaining the integrity of the memory information.

At this time, the ECC memory unit may be configured to include a data memory unit that records data in the memory section (110) and an ECC.

In addition, the memory block can generate output information including control information, previous stage result information, read information, write information, etc. based on the access result to the memory section (110) and provide the information to the rewrite block.

The above-described rewrite block can generate instruction execution result information on the execution result of an instruction generated through previous stage blocks based on the output information transmitted from the memory block, and can generate record information including the instruction execution result information through the rewrite unit included in the above-described block to reflect the instruction execution result information to the state of the processor unit (120), and then record the record information in a register included in the above-described block.

At this time, the register may be configured to be included in the register file unit of the decode block.

For example, the above-mentioned rewrite block can store record information including the result of an arithmetic operation or data loaded from the memory unit (110) in the destination register.

In addition, the rewrite block can generate output information including the recording information and transmit it to the multiplexing management unit (130) after the rewrite process is completed.

Meanwhile, the multiplexing management unit (130) can compare the command execution result information included in the output information received from each of the plurality of processor units (120) to each other to check whether the plurality of processor units (120) and the plurality of command execution result information corresponding to each other are consistent.

In addition, the multiplexing management unit (130) can determine that an error has occurred in at least one of the plurality of processor units (120) when the execution result information of the plurality of instructions is inconsistent with each other, and when it is determined that an error has occurred, the multiplexing management unit (130) can perform verification (error verification or error occurrence verification) using a preset command set to detect an error occurrence block, which is a stage block in which an error has occurred, among the plurality of stage blocks included in the processor unit (120) in which an error has occurred among the plurality of processor units (120). This will be described in detail with reference to the operation flowchart of the triple module control device (100) according to FIG. 4 based on the above-described configuration.

First, the multiplexing management unit (130) determines that an error has occurred if the execution result information of the plurality of instructions is inconsistent with each other, determines a specific processor unit (120) in which the execution result information of the plurality of processor units (120) is inconsistent with the execution result information of other instructions as a processor unit (120) to be verified, and controls the execution of instructions according to a preset instruction set in the processor unit (120) to be verified, and performs an operation of verifying (verifying) whether an error occurrence block has been detected in the processor unit (120) to be verified according to the execution of instructions according to the instruction set.

To this end, the multiplexing management unit (130) may be configured to include a verification unit (131), a verification operation performing unit (132), an error detection unit (133), a restoration unit (134), etc.

First, the verification unit (131) can compare the execution results (instruction execution result information) according to the execution of the commands of each of the plurality of processor units (120) with each other (S1), and verify (confirm) whether an error has occurred in at least one of the plurality of processor units (120) based on whether the execution results provided by each of the plurality of processor units (120) match each other (S2).

For example, if the execution results between the plurality of processor units (120) are inconsistent, the verification unit (131) can identify one processor unit (120) whose execution results are inconsistent with those of the other processor units (120) as a verification target processor unit (120) (or verification target processor unit (120)) that is a target of verification (verification) for the occurrence of an error, and can stop the operation of the verification target processor unit (120).

At this time, the verification unit (131) can maintain operation for the remaining processor units (120) (the remaining pair of processor units (120)) excluding the processor unit (120) to be verified among the plurality of processor units (120), thereby ensuring the continuity of operation of the triple module control device (100) (S3).

For example, if the command execution result of the first processor unit (120a) among the plurality of processor units (120) does not match the command execution results of the second processor unit (120b) and the third processor unit (120c) among the plurality of processor units (120), the first processor unit (120a) can be confirmed (identified) as the processor unit to be confirmed and the operation can be stopped, and the operation of the remaining processor units (the second processor unit (120b) and the third processor unit (120c)) can be maintained.

In addition, the verification unit (131) can provide event information for error detection execution (error verification) of the verification target processor unit (120) (for requesting error detection execution) to the verification operation execution unit (132).

In addition, the verification operation execution unit (132) can verify (identify) the verification target processor unit (120) based on the event information received from the verification unit (131), reactivate (operate) the verification target processor unit (120), and then execute a command according to a preset command set for the verification target processor unit (120) (S4).

For example, the verification operation execution unit (132) may transmit a control signal to the patch block of the verification target processor unit (120) to execute a command according to the command set for error detection pre-stored in the memory unit (110) in the patch block of the verification target processor unit (120).

Accordingly, the processor unit (120) to be verified can execute a command according to the command set through the plurality of stage blocks based on the control signal, and can provide output information output from each of the plurality of stage blocks according to the execution of the command according to the command set to the multiplexing management unit (130).

In addition, the error detection unit (133) of the multiplexing management unit (130) can receive output information provided by each stage block of the verification target processor unit (120) according to the execution of a command according to the command set.

In addition, the error detection unit (133) can compare output information provided by each of the plurality of stage blocks included in the verification target processor unit (120) according to the execution of instructions according to the instruction set with a preset diagnostic error detection table (DEDT: Diagnostic Error Detection Table). Meanwhile, the error detection unit (133) can apply an error detection and recovery (ECC) function to the diagnostic error detection table in order to minimize the possibility of errors occurring in the diagnostic error detection table itself.

In addition, the error detection unit (133) can check the instruction execution result information recorded in the register of the decode block by the rewrite block of the verification target processor unit (120), and compare the instruction execution result information with the diagnostic error detection table.

Alternatively, the error detection unit (133) may check the command execution result information from the output information provided by the rewrite block and compare the checked command execution result information with the diagnostic error detection table.

In addition, the error detection unit (133) can detect an error occurrence block, which is a stage block in which an error has occurred, by comparing output information output by each of a plurality of stage blocks included in the verification target processor unit (120) as a result of executing a specific instruction according to the instruction set through the verification target processor unit (120) and instruction execution result information by the plurality of stage blocks recorded in the register with a preset diagnostic error detection table, and can check whether an error occurrence block has been detected according to the detection of the error occurrence block (S5).

At this time, the diagnostic error detection table may preset expected output information for normal operation for each command included in the command set for each of the plurality of stage blocks.

In addition, the diagnostic error detection table may be configured to preset expected execution result information regarding command execution results according to command processing by the plurality of stage blocks when the plurality of stage blocks are operating normally, for each command included in the command set.

Accordingly, the error detection unit (133) identifies, in the diagnostic error detection table, preset expected output information for a specific instruction of a specific stage block when specific output information for a specific instruction is output in a specific stage block in conjunction with the verification operation performing unit (132), and compares the identified expected output information with the specific output information to detect whether an error occurs (whether an error occurs) in the specific stage block based on whether the identified expected output information matches the specific output information, thereby detecting whether an error occurs for each of the plurality of stage blocks.

For example, the error detection unit (133) may compare output information output from the execution block according to the execution of the first instruction included in the instruction set with expected output information of the execution block corresponding to the first instruction identified in the diagnostic error detection table, and if the output information and expected output information do not match, determine that an error has occurred in the execution block and detect the execution block as an error occurrence block.

At this time, the error detection unit (133) can receive output information (output information of the patch block) provided from the patch block to the decode block, and can determine whether the patch block is stopped (or stalled) based on the output information of the patch block and the expected output information stored in the diagnostic error detection table for the patch block.

Accordingly, the error detection unit (133) can detect that an error has occurred in the patch block when a stop state occurs based on the output information of the patch block.

In addition, the error detection unit (133) can identify expected execution result information corresponding to the specific instruction in the diagnostic error detection table, and then compare the identified expected execution result information with the instruction execution result information corresponding to the specific instruction to detect whether an error has occurred in the processor unit (120) to be verified based on whether they match.

In the above-described configuration, the instruction set may include a plurality of instructions, and the verification target processor unit (120) may sequentially execute a plurality of instructions included in the instruction set according to the control of the verification operation performing unit (132), and may also sequentially execute a plurality of instructions included in the instruction set according to a preset execution order for each instruction.

At this time, the execution order for each command may be preset in the command set or preset in the verification operation execution unit (132).

For example, the verification operation execution unit (132) causes each of the plurality of processor units (120) to execute at least one of an arithmetic operation (arithmetic operation instruction), a logical operation (logical operation instruction), and a comparison operation (comparison operation instruction) according to a first instruction group included in the instruction set, and, in conjunction with the error detection unit (133), causes each of the verification target processor units (120) to execute at least one of a branch operation (branch operation instruction), a memory read operation (memory read operation instruction), a memory store operation (memory store operation instruction), and a shift operation (shift operation instruction) according to a second instruction group included in the instruction set, if the error occurrence block is not detected until execution of all instructions included in the first instruction group is completed.

At this time, the plurality of instructions included in the instruction set may include ADD, which is the arithmetic operation, XOR, which is the logical operation, SLT, which is the comparison operation, BEQ, which is the branch operation, LD, which is the memory read operation, SB, which is the memory store operation, and SLL, which is the shift operation.

Here, the verification operation execution unit (132) first executes a command capable of operating all of the plurality of stage blocks according to the first command group including arithmetic operations, logical operations, and comparison operations included in the command set, thereby enabling rapid error detection.

In addition, the error detection unit (133) can detect an error occurrence block by comparing output information output from each of a plurality of stage blocks and instruction execution result information recorded in a register according to instruction execution with the diagnostic error detection table whenever an instruction included in the instruction set is executed.

In addition, when detecting an error occurrence block (S6), the error detection unit (133) can identify (confirm) the confirmation target processor unit (120) among the plurality of processor units (120) as the error occurrence processor unit (120) and stop the use of the error occurrence processor unit (120) (S7).

That is, when an error occurrence block is detected for the verification target processor unit (120), the error detection unit (133) can specify the verification target processor unit (120) to which the error occurrence block belongs as the error occurrence processor unit (120) where the error occurred and stop (suspend) the operation of the error occurrence processor unit (120).

In addition, by continuously outputting normal data according to instruction execution only from the remaining processor units (120) where no error occurred, it is possible to prevent error data from being continuously output by the processor unit (120) where an error occurred.

At this time, the error detection unit (133) can control the verification target processor unit (120) to not execute other commands included in the command set subsequent to the command used to detect the error occurrence block in the command set when an error occurrence block is detected, in conjunction with the verification operation execution unit (132).

Meanwhile, in the above-described configuration, if an error occurs due to a mismatch in execution results between the plurality of processor units (120) that executed a command (hereinafter, execution target command) that is not a command included in the command set, the verification unit (131) can check the output information of the patch block configured in the verification target processor unit (120) or check the command memory unit of the patch block to provide event information including the execution target command to the verification operation performing unit (132).

In addition, the verification operation execution unit (132) verifies the execution target instruction included in the event information, verifies an instruction among the instructions included in the instruction set whose operation type (arithmetic operation, logical operation, comparison operation, branch operation, memory read operation, memory store operation, shift operation) matches the execution target instruction (belongs to the operation type to which the execution target instruction belongs), and can execute the plurality of stage blocks of the verification target processor unit (120) with the verified instruction.

Accordingly, the error detection unit (133) can quickly detect an error occurrence block by first executing the confirmation target processor unit (120) with the confirmed instruction included in the instruction set whose operation type matches the execution target instruction, which is the instruction that caused an error in the plurality of processor units (120), and thereby quickly detect the error occurrence processor unit (120) including the error occurrence block.

In addition, in the above-described configuration, the error detection unit (133) compares the output information and command execution result information of the processor unit (120) to be verified with the diagnostic error detection table, and if an error occurrence block is not detected, it determines that an error has occurred in the remaining processor units (120), and can provide the determination result information thereon to the verification unit (131) (S6).

In addition, the verification unit (131) can activate (restart) the operation of the verification target processor unit (120) if the verification target processor unit (120) is not an error-generating processor unit (120) based on the judgment result information provided from the error detection unit (133), and can stop the operation of the remaining processor units (120) (S8).

In addition, the verification unit (131) can provide event information for requesting error verification for each of the remaining processor units (120) to the verification operation performing unit (132), similar to the verification target processor unit (120).

In addition, the verification operation execution unit (132) can control each of the remaining processor units (120) to execute a command according to the command set in the same manner as the process of executing a command according to the command set for the verification target processor unit (120) described above when receiving the event information (S9).

In addition, the error detection unit (133) can perform a process of detecting an error occurrence block for each of the remaining processor units (120) that executed a command according to the command set, similar to the process of detecting an error occurrence block according to the execution of a command included in the command set of the processor unit (120) to be verified described above (S5).

In addition, the error detection unit (133) can identify the processor unit (120) in which an error occurrence block is detected among the remaining processor units (120) as the error occurrence processor unit (120) (S6).

At this time, the error detection unit (133) can identify each of the remaining processor units (120) as an error-occurring processor unit (120) if an error-occurring block is detected in all of the remaining processor units (120).

In addition, the error detection unit (133) can stop the use of one or more processor units (120) identified as the error-occurring processor unit (120), and can stop the operation of the error-occurring processor unit (120) according to the stoppage of use (S7).

At this time, the error detection unit (133) can quickly detect an error occurrence block by first executing each of the remaining processor units (120) with the confirmed instruction included in the instruction set whose operation type matches the execution target instruction that has caused an error in each of the remaining processor units (120) in conjunction with the verification unit (131) and the verification operation execution unit (132), thereby quickly detecting the error occurrence processor unit (120) including the error occurrence block.

Accordingly, the error detection unit (133) can maintain the operation of the processor unit (120) to be verified even when an error is detected in all of the remaining processor units (120) and operation is halted, thereby ensuring the continuity of the triple module control device (100).

Meanwhile, the multiplexing management unit (130) can restore the function of the error-occurring block through the eFPGA unit (140) when an error-occurring block is detected, and replace the function of the error-occurring block of the error-occurring processor unit (120) through the eFPGA unit (140), thereby restoring (recovering) the error-occurring processor unit (120) to a normal processor unit (120). This will be described in detail with reference to the flowchart for the restoration operation of the triple module control device (100) according to FIG. 5.

As described above, the triple module control device (100) may be configured to include an eFPGA unit (140) for restoring a block in which an error has occurred when an error occurs in the processor unit (120).

In addition, the multiplexing management unit (130) may be configured to include a restoration unit (134) for restoring the error-occurring block.

According to the above-described configuration, the restoration unit (134) can, in conjunction with the error detection unit (133), generate a restoration block that performs the function of the error occurrence block in the eFPGA unit (140) when an error occurrence block is detected in a specific processor unit (120) (error occurrence processor unit (120)) (S11) (S12).

At this time, the restoration unit (134) can identify the error occurrence processor unit (120) and the error occurrence block belonging to the error occurrence processor unit (120) in conjunction with the error detection unit (133).

That is, the restoration unit (134) can program the function of a specific stage block without an error corresponding to the error occurrence block into the eFPGA unit (140) to create the restoration block in the eFPGA unit (140).

In addition, the restoration unit (134) can perform a bypass function (or redirection function) of transmitting output information of a stage block that transmits output information from the specific processor unit (120) to the error occurrence block to the restoration block and transmitting output information of the restoration block to a stage block that receives output information of the error occurrence block (S13).

That is, the restoration unit (134) can control the input/output of the error occurrence block to be bypassed to the input/output of the restoration block.

Accordingly, when the creation of the restoration block is completed, the restoration unit (134) can re-operate the error-occurring processor unit (120) and restore the error-occurring processor unit (120) to a normal state through the restoration block (S14).

At this time, when the creation of the restoration block is completed, the restoration unit (134) can execute a command according to the command set through the error occurrence processor unit (120) connected to the restoration block in conjunction with the verification operation execution unit (132) and the error detection unit (133), and can re-confirm whether an error occurrence block has been detected for the error occurrence processor unit (120) according to the command execution.

In addition, the restoration unit (134) can generate an additional restoration block that performs the function of the other detected error occurrence block (the function of the normal state stage block corresponding to the other detected error occurrence block) when another error occurrence block is detected again in the error occurrence processor unit (120) connected to the restoration block, and can be programmed into the eFPGA unit (140) to generate the additional restoration block, and can perform a bypass function using the additional restoration block for the other error occurrence block generated in the error occurrence processor unit (120) as described above.

In addition, the restoration unit (134) can perform detection of an error occurrence block using the command set as described above for the restoration block and the error occurrence processor unit (120) connected to the additional restoration block even after the creation of the additional restoration block is completed, and when a new error occurrence block is detected, the process as described above can be repeated to additionally create a new restoration block in the eFPGA unit (140).

Alternatively, the restoration unit (134) may execute a command according to the command set for the error occurrence processor unit (120) connected to one or more restoration blocks to check whether an error occurrence block is detected, and if an error occurrence block is not detected, activate the error occurrence processor unit (120) as a normal processor unit (120) and operate it to process commands in the same manner as other processor units (120).

In this way, the restoration unit (134) can implement the function of the stage where an error is detected in the pipeline stage of the processor unit (120) in the eFPGA unit (140), so that only a specific part can be programmed even during device operation, and through this, only the function where an error occurred can be quickly replaced without stopping the entire device when an error is restored. Meanwhile, the restoration block, which is a pipeline-specific stage configuration block configured in the eFPGA unit (140) based on the eFPGA, generally has a lower operating clock speed than an ASIC (Application Specific Integrated Circuit) configuration, and the restoration unit (134) can readjust the entire system clock (entire device clock) due to this clock operation speed difference.

Meanwhile, according to the triple processor structure, the processor unit (120) restored to the eFPGA unit (140) generally has a low clock operation speed, so as two high-speed clock operation processors and a low-speed clock operation processor are configured, the processor configuration can be diversely performed according to the system usage requirements.

For example, in mission-critical applications such as aerospace applications, a triple-processor unit (120) configuration configured at a relatively low identical speed can be performed. On the other hand, in cases of relatively low importance, where a dual-processor configuration is sufficient for the purpose, a low-speed processor unit (120) recovered by the eFPGA unit (140) can be configured as a spare. In the case of this configuration, if an error occurs in the dual-processor unit configuration capable of operating at a normal clock, the triple-processor unit (120) configuration operating at a low speed recovered by the eFPGA unit (140) performs the same error detection and recovery procedure as before.

To this end, the triple module control device (100) may include an interface unit for setting operating conditions for the multiplexing management unit (130) or the error detection unit (133), or may be configured to be linked with an interface unit configured externally to the triple module control device (100), and the error detection unit (133) configured in the multiplexing management unit (130) may receive input information (input information according to external input) regarding the operating conditions (operation mode) through the interface unit.

At this time, the interface unit may be configured to be included in the multiplexing management unit (130).

In addition, the error detection unit (133) linked with the restoration unit (134), in a state in which the first operation condition (or the first operation mode) is operated (or set to operate) based on the input information, in conjunction with the restoration unit (134), when the restoration block is generated (when the generation of the restoration block is confirmed), the operation clocks of each of the remaining processor units (120) excluding the processor unit (120) connected to the restoration block are matched with the operation clock of the processor unit (120) connected to the restoration block according to the first operation condition that is set in advance, and in a state in which the second operation condition (or the second operation mode) is operated (or set to operate) based on the input information, when the restoration block is generated (when the generation of the restoration block is confirmed), the processor unit (120) connected to the restoration block is set as a spare processor unit (120) according to the second operation condition that is set in advance, and only the remaining processor units (120) excluding the spare processor unit (120) are operated, and the remaining When an error occurrence block is detected in at least one of the processor units (120), the spare processor unit (120) can be activated while the operation clocks of the remaining processor units (120) and the spare processor unit (120) can be synchronized with each other.

At this time, the error detection unit (133) can match the operation clocks of the remaining processor units (120) based on the operation clock of the processor unit (spare processor unit) (120) connected to the recovery block, or set the processor unit (120) connected to the recovery block and the remaining processor units (120) to a preset operation clock.

Meanwhile, in the above-described configuration, when an error occurrence block is detected during execution of an instruction included in the instruction set, the restoration unit (134) can stop use of the error occurrence processor unit (120) corresponding to the error occurrence block without executing other instructions of the instruction set subsequent to a specific instruction executed when the error occurrence block was detected, and can perform restoration (recovery) on the error occurrence processor unit (120) to which the error occurrence block belongs by generating a restoration block corresponding to the error occurrence block.

In addition, when the restoration unit (134) generates a restoration block that performs the function of the error occurrence block, it can extract block configuration information corresponding to the error occurrence block from a stage block storage unit (200) configured externally and in which block configuration information of each of a plurality of stage blocks is stored.

At this time, the stage block storage unit (200) may be an external flash memory configured outside the triple module control device (100).

In addition, the restoration unit (134) can generate a restoration block by programming it into the eFPGA unit (140) using the extracted block configuration information.

As described above, the present invention supports, in a triple-module control device including three RISC-V-based processor units, the detection of whether an error has occurred at each stage according to the pipeline structure of a verification target processor unit whose instruction execution result is inconsistent with the remaining processor units, and, at the same time, the operation of the remaining processor units is maintained when verifying whether an error has occurred at the verification target processor unit, thereby ensuring the continuity and stability of the triple-module control device. In addition, if an error is not detected at the verification target processor unit, the detection of whether an error has occurred at each stage for the remaining processor units is performed, thereby accurately and quickly specifying the processor unit in which an error has occurred among the three processor units, thereby stopping the use of the processor unit in which the error has occurred and operating only the normal processor unit, thereby preventing the propagation of an error in a device or system to which the triple-module control device is applied, ensuring stability and reliability, and ensuring stable operation continuity of the device or system.

In addition, the present invention can restore the processor unit in which an error occurred to a normal state by programming the function of an error occurrence block included in a processor unit in which an error occurred into the eFPGA unit and generating a restoration block, thereby enabling a dynamic restoration function that can quickly replace only the function in which an error occurred to significantly improve the availability of the triple module control device, thereby providing a highly reliable control device that can be used in error-sensitive fields such as aerospace aircraft and high-performance automobiles.

The components described in the embodiments of the present invention may be implemented using one or more general-purpose computers or special-purpose computers, such as, for example, hardware such as a memory, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable gate array (FPGA), a programmable logic unit (PLU), a microprocessor, a logic gate, software including an instruction set, or a combination thereof, or any other device capable of executing and responding to instructions.

The various devices and components described herein may be implemented by hardware circuits (e.g., CMOS-based logic circuits), firmware, software, or a combination thereof. For example, they may be implemented by utilizing transistors, logic gates, and electronic circuits in the form of various electrical structures.

The above-described contents can be modified and changed by those skilled in the art to which the present invention pertains, without departing from the essential characteristics of the present invention. Therefore, the embodiments disclosed in the present invention are not intended to limit the technical idea of the present invention, but to explain it, and the scope of the technical idea of the present invention is not limited by these embodiments. The protection scope of the present invention should be interpreted by the following claims, and all technical ideas within the equivalent scope should be interpreted as being included in the scope of the rights of the present invention.

100: Triple module control unit 110: Memory unit
120: Processor section 130: Multiplexing management section
131: Verification unit 132: Verification operation execution unit
133: Error detection unit 134: Recovery unit
140: eFPGA section 200: Stage block storage section

Claims (10)

A triple module control device comprising three RISC-V based processor units having a pipeline structure composed of multiple stage blocks including a patch block, a decode block, an execution block, a memory block, and a rewrite block, and including a multiplexing management unit for error verification of the processor units,
The above patch block, decode block and memory block each have an ECC memory unit that performs error detection and error correction of memory information based on an Error Correcting Code (ECC) to maintain the integrity of memory information for command execution.
The above multiplexing management unit,
A verification unit that compares the execution results of the instructions executed by the three processor units above and verifies whether an error has occurred based on whether the execution results match;
A verification operation execution unit that executes a command according to a preset command set for a processor unit subject to verification whose command execution results among the three processor units do not match the remaining processor units when an error occurs in the verification result of the above verification unit; and
An error detection unit that compares output information provided by each of a plurality of stage blocks included in the processor unit to execute instructions according to the instruction set and instruction execution result information according to instruction execution by the plurality of stage blocks with a preset diagnostic error detection table to detect an error occurrence block, which is a stage block in which an error has occurred, and, when the error occurrence block is detected, specifies the processor unit to be verified as the processor unit in which an error has occurred and suspends the use of the processor unit in which the error has occurred.
A triple module control device having a reliability verification function characterized by including: In claim 1,
A triple module control device having a reliability verification function, characterized in that the verification unit stops the operation of the processor unit identified as the verification target processor unit and maintains the operation of the remaining processor units other than the verification target processor unit. In claim 1,
The above diagnostic error detection table is configured such that expected output information for normal operation is preset for each command included in the command set for each of the plurality of stage blocks.
The error detection unit, in conjunction with the verification operation performing unit, identifies expected output information preset for a specific instruction of the specific stage block in the diagnostic error detection table when specific output information is output for a specific instruction in the specific stage block, compares the identified expected output information with the specific output information, and detects whether an error has occurred in the specific stage block based on whether they match, or identifies expected execution result information corresponding to the specific instruction in the diagnostic error detection table, and then compares the identified expected execution result information with the instruction execution result information corresponding to the specific instruction to detect whether an error has occurred in the verification target processor based on whether they match. A triple module control device having a reliability verification function. In claim 3,
The above error detection unit,
A triple module control device having a reliability verification function characterized in that the occurrence of an error in the processor unit to be verified is detected based on whether the instruction execution result information stored in the register according to the execution of the specific instruction by the plurality of stage blocks is compared with the expected execution result information and whether they match. In claim 1,
A triple module control device having a reliability verification function, characterized in that the verification operation execution unit executes the verification target processor unit with at least one of an arithmetic operation, a logical operation, and a comparison operation according to a first instruction group included in the instruction set, and, in conjunction with the error detection unit, executes the verification target processor unit with at least one of a branch operation, a memory read operation, a memory store operation, and a shift operation belonging to a second instruction group included in the instruction set when the error occurrence block is not detected until execution of all instructions belonging to the first instruction group is completed. In claim 5,
A triple module control device having a reliability verification function, characterized in that the arithmetic operation is ADD, the logical operation is XOR, the comparison operation is SLT, the branch operation is BEQ, the memory read operation is LD, the memory store operation is SB, and the shift operation is SLL. In claim 1,
The above error detection unit,
A triple module control device having a reliability verification function, characterized in that when an error occurrence block is not detected as a result of comparing the output information and the instruction execution result information of the processor unit to be verified with the diagnostic error detection table, it is determined that an error has occurred in the remaining processor units, and the operation of the processor unit to be verified is activated in conjunction with the verification unit while the operation of the remaining processor units is stopped, and in conjunction with the verification operation execution unit, a command according to the instruction set is executed for each of the remaining processor units to detect an error occurrence block in the same manner as the error occurrence block detection process for the processor unit to be verified, and the processor unit in which the error occurrence block is detected among the remaining processor units is confirmed as the error occurrence processor unit and use is suspended. In claim 1,
The above error generating processor unit further includes an eFPGA unit for restoring a block in which an error occurred,
The above multiplexing management department,
A triple module control device with a reliability verification function, characterized in that it further includes a restoration unit that generates a restoration block for performing the function of the above error occurrence block in the eFPGA unit, transmits output information of a stage block that transmits output information to the above error occurrence block among the plurality of stage blocks to the restoration block, and performs a bypass function of transmitting output information of the restoration block to a stage block that receives output information of the above error occurrence block. In claim 8,
The above restoration part,
A triple module control device having a reliability verification function, characterized in that, when an error occurrence block is detected during execution of a command included in the command set in conjunction with the error detection unit, subsequent commands of the command set are not executed, use of the error occurrence processor unit corresponding to the error occurrence block is stopped, a recovery block corresponding to the error occurrence block is generated, and recovery is performed for the error occurrence processor unit to which the error occurrence block belongs. In claim 8,
Includes an interface section for setting operating conditions for the above error detection section,
A triple module control device having a reliability verification function, characterized in that the error detection unit, when operating under a first operating condition based on input information through the interface unit, causes each of the operating clocks of the remaining processor units excluding the processor unit connected to the restoration block when generating the restoration block to match the operating clock of the processor unit connected to the restoration block, and when operating under a second operating condition based on the input information, sets the processor unit connected to the restoration block as a spare processor unit when generating the restoration block, and then operates only the remaining processor units excluding the spare processor unit, and when an error occurrence block is detected in at least one of the remaining processor units, activates the spare processor unit and mutually matches the operating clocks of the remaining processor units and the spare processor unit.

Images