Nios® V Processor: Lockstep Implementation User Guide

Download PDF
ID 833274
Date 4/17/2025
Public
Document Table of Contents
Document Table of Contents x
1. About the Nios® V Processor Lockstep 2. Overview 3. Controlling the Nios® V Processor Lockstep 4. Programming Model 5. Signals, Interfaces, and Build Parameters 6. Using Nios® V Processor Lock Step A. Document Revision History for the Nios® V Processor: Lockstep Implementation User Guide B. Appendix
1. About the Nios® V Processor Lockstep x
1.1. Nios® V Processor Lockstep Features
2. Overview x
2.1. Introduction 2.2. Main Principles 2.3. Operating Modes 2.4. Resets 2.5. LOGS Information
2.2. Main Principles x
2.2.1. System Phases 2.2.2. System States 2.2.3. Safety Mechanisms
2.2.2. System States x
2.2.2.1. Transitioning between System States
2.2.3. Safety Mechanisms x
2.2.3.1. Self-Checking Comparator 2.2.3.2. Timeout Timer 2.2.3.3. Reset and Enable Counters 2.2.3.4. Specialized Safety Mechanism
2.3. Operating Modes x
2.3.1. NORMAL and SILENT Modes
2.4. Resets x
2.4.1. Resetting CORE 2.4.2. Resetting OPTIONS 2.4.3. Resetting LOGS 2.4.4. Resetting Time Diversity Register and Comparator Blind Window
2.5. LOGS Information x
2.5.1. ALARMS 2.5.2. CONTEXT 2.5.3. STATISTICS 2.5.4. Reset LOGS
2.5.1. ALARMS x
2.5.1.1. Configuring Alarm Severity
3. Controlling the Nios® V Processor Lockstep x
3.1. Configuration Interface 3.2. Controlling the Elective Features
3.2. Controlling the Elective Features x
3.2.1. Applying Timeout and Comparator Blind Window 3.2.2. Injecting Fault 3.2.3. Downloading the CPU Software 3.2.4. Debugging the CPU Software using SILENT Mode 3.2.5. Resetting the CPU upon Fault Detection
3.2.1. Applying Timeout and Comparator Blind Window x
3.2.1.1. Timeout 3.2.1.2. Comparator Blind Window 3.2.1.3. Calculating the Blind Window and Timeout Period
3.2.2. Injecting Fault x
3.2.2.1. Root Fault Injection 3.2.2.2. Alarm Fault Injection
3.2.4. Debugging the CPU Software using SILENT Mode x
3.2.4.1. Entering SILENT Mode 3.2.4.2. SILENT Mode Limitation 3.2.4.3. Exiting SILENT Mode
3.2.5. Resetting the CPU upon Fault Detection x
3.2.5.1. Basic Reset Control 3.2.5.2. Extended Reset Control
3.2.5.2. Extended Reset Control x
3.2.5.2.1. Automatic CPUs Reset Request 3.2.5.2.2. Manual CPUs Reset Request
4. Programming Model x
4.1. Memory Map 4.2. Configuring fRSmartComp during Run-time 4.3. Unlocking and Locking Registers 4.4. Detailed Register Description
4.1. Memory Map x
4.1.1. Memory Map—Part 1 4.1.2. Memory Map—Part 2 4.1.3. Memory Map—Part 3
4.4. Detailed Register Description x
4.4.1. CPUs’ Reset Control Register - DCLSM_CPURC 4.4.2. DCLSM Basic Control Register - DCLSM_CTRL 4.4.3. DCLSM Blind Window Control Register - DCLSM_BWCR 4.4.4. All Alarms’ Prior Alarms’ Fault Injection Register - ERRCTRL_ALL_ALARMS_PRIOR_AFI 4.4.5. INTREQ Configuration Register - ERRCTRL_INTREQ_CONF 4.4.6. Timeout Deadline and Status Register - ERRCTRL_TIMEOUT 4.4.7. Timeout Acknowledgment Register - ERRCTRL_TIMEOUT_ACK 4.4.8. Enable Key fRSmartComp Control Register - ERRCTRL_ENABLE_KEY 4.4.9. Root Fault Injection Control register - ERRCTRL_ROOT_INJ 4.4.10. Alarm Fault Injection Control register - ERRCTRL_ALARM_INJ 4.4.11. Event Mask Configuration register - ERRCTRL_MASKA and ERRCTRL_MASKB 4.4.12. Alarm Routing Configuration register - ERRCTRL_ROUTA and ERRCTRL_ROUTB 4.4.13. Error Controller PGO LOG Reset Control register - ERRCTRL_PGOLOGRST 4.4.14. PGO0 and PGO4 Configuration registers - ERRCTRL_PGO0 and ERRCTRL_PGO4 4.4.15. FN_MODEIN Control Register - ERRCTRL_FNMODEIN 4.4.16. FN_MODEOUT register - ERRCTRL_FNMODEOUT 4.4.17. All Alarms After Fault Injection - ERRCTRL_FNGIALARMS 4.4.18. Error Controller Context Register - ERRCTRL_FNGICTXT4 4.4.19. CMP Mismatch CONTEXT Registers - ERRCTRL_FNGICMPCTXT0 … ERRCTRL_FNGICMPCTXT3 4.4.20. STATISTICS registers: ERRCTRL_FNGISTAT0 and ERRCTRL_FNGISTAT4 4.4.21. State register - ERRCTRL_FNPERIPHGI4
5. Signals, Interfaces, and Build Parameters x
5.1. Configuration Interface 5.2. System Interface 5.3. Extended Reset Interface 5.4. IP Parameters
6. Using Nios® V Processor Lock Step x
6.1. Instantiating Lockstep-Enabled Processor 6.2. Connecting Signals and Interfaces 6.3. Compiling Design 6.4. Implementing Startup Procedure 6.5. Applying Optional Injection for Validation 6.6. Detecting Faults 6.7. Handling Faults (Safety Use Case)
6.2. Connecting Signals and Interfaces x
6.2.1. Connecting Clock and Reset 6.2.2. Connecting Configuration Interface 6.2.3. Connecting System Interface
6.2.1. Connecting Clock and Reset x
6.2.1.1. Clock 6.2.1.2. Reset
6.2.1.2. Reset x
6.2.1.2.1. Basic Reset Control 6.2.1.2.2. Extended Reset Control
6.2.3. Connecting System Interface x
6.2.3.1. Silent Mode Interface 6.2.3.2. Interrupt Request (INTREQ) 6.2.3.3. ALARMS Interfaces
6.7. Handling Faults (Safety Use Case) x
6.7.1. UC_01: Standard Fail Safe or No Availability 6.7.2. UC_02: False Positive Avoidance 6.7.3. UC_03: Timeout on System Reset or After Fault Detection 6.7.4. UC_04: Fail Safe after Fault Discrimination 6.7.5. UC_05: Fail Safe after Fault Discrimination and Functional Downgrade
1. About the Nios® V Processor Lockstep
2. Overview
3. Controlling the Nios® V Processor Lockstep
4. Programming Model
5. Signals, Interfaces, and Build Parameters
6. Using Nios® V Processor Lock Step
A. Document Revision History for the Nios® V Processor: Lockstep Implementation User Guide
B. Appendix

3.2.5. Resetting the CPU upon Fault Detection

The fRSmartComp supports two different Reset Controls:

  1. Basic Reset Control
    • Use this reset control when you are not considering system availability concept.
    • The processor reset signals acts as global resets for all modules (Host CPU, fRSmartComp and Agent CPU).
  2. Extended Reset Control
    • Use this reset control when you are considering system availability concepts.
    • Each module has their respective reset signals.
    • In addition, the fRSmartComp can deliver reset requests for both Host CPU and Agent CPU, thru a Reset Controller as warm reset.
    • The Reset Controller generates the reset request signals to the respective CPUs and deliver acknowledgement back to fRSmartComp.
    • The Reset Controller generates the reset request signals to the respective CPUs and deliver acknowledgement back to fRSmartComp.
Terminology:
  1. Power-on Reset
    1. An asynchronous reset that completely resets the whole system, including the CPUs, busses, memory controllers, peripherals, fRSmartComp, etc.
    2. For example, a power-on reset is used after FPGA configuration.
  2. Warm Reset
    1. An asynchronous reset that does not completely reset the whole system. Instead, only part of the system is reset and without power-supply interruption.
    2. For example, reset the two CPUs and part of the fRSmartComp while maintaining the fRSmartComp ALARMS information. This allows the next processor application to read the ALARMS after reset.
Table 27.  Reset Controls and Use Cases
Safety Use Case Description Reset Control Reset Scenario
UC_01: Standard Fail Safe (no availability)

After a fault is detected, the system is put in a safe state, and the CPU or fRSmartComp is no longer relevant.

Basic Power-on or equivalent reset

(RS_1, RS_2)
UC_02: False Positive Avoidance

Allows discriminating comparator errors to occur for faults in the CPUs or just in the fRSmartComp comparator itself, thus obtaining a certain degree of availability.

In the case of a fault in the comparators, the Host CPU is fault-free and may proceed with the CPU application.

Power-on or equivalent reset

(RS_1, RS_2)

Optional: Warm reset with Extended Reset Control (RS_4, RS_5)
UC_03: Timeout on System Reset or After Fault Detection

Watchdogs-like scenario, highly safety-critical, which brings the system to a safe state.

 Power-on or equivalent reset

(RS_1, RS_2)

Optional: Warm reset with Extended Reset Control (RS_4, RS_5)
UC_04: Fail Safe after Fault Discrimination

Allows discrimination between a permanent and a transient fault occurring in the CPU and, thus, some degree of availability.

In the case of a transient fault, an asynchronous reset removes the fault and causes a restart of the application software.

The application software can continue to perform the safety function.

 Extended Power-on and Warm resets

(RS_1, RS_2, RS_3, RS_4, RS_5)

UC_05: Fail Safe after Fault Discrimination and Functional Downgrade

This is an enhancement of UC_04; it has similar benefits with improved system availability.

In the case of a permanent fault, the application software is downgraded to a limited-functioning application. An asynchronous reset restarts the application software.

Power-on and Warm resets

(RS_1, RS_2, RS_3, RS_4, RS_5)
Table 28.  Supported Reset Scenarios
Reset Scenario Current System State Operation Procedure
RS_1 Any CPUs and fRSmartComp asynchronous reset

Reset both the CPUs and the fRSmartComp (Asynchronous reset).

RS_2 OD

Restart the fRSmartComp

(do not alter CPU operation)

Applied to reconfigure the fRSmartComp.
  1. Check that the fRSmartComp state is OD.
  2. Disable the fRSmartComp.
  3. Perform the configuration (if any) before the DISABLE timeout expires.
  4. Enable the fRSmartComp.
  5. Perform the fRSmartComp configuration (if any) before the OD timeout expires.
  6. Acknowledge the fRSmartComp timeout.
  7. Check that no alarms have been generated.
RS_3 FCS CPU reset request by fRSmartComp This scenario is fully in the hands of the fRSmartComp and the external Dedicated Reset Controller. Refer to Automatic CPUs Reset Request.
RS_4 FCS CPU reset request by System Supervisor

These are Configuration Interface accesses to trigger a reset request. Refer to Manual CPUs Reset Request.

RS_5 FCS

CPU and fRSmartComp restart after FCS, with the possibility to save the logs information and using the counters.

Applied for advanced failure control.
  1. Check that the fRSmartComp state is FCS.
  2. Read and temporarily store the current active alarms.
  3. If needed, mask some alarms.
  4. Disable the fRSmartComp before the FCS timeout expires.
  5. Wait at least 10 CPU clock cycles
  6. Reset both the CPUs (warm reset) at the same time. The comparator blind window restarts.
  7. Allow the Nios V initialization procedure to execute. This must be done before the blind window is expired.
  8. Optionally read and save logs information.
  9. Check that the current active alarms are the same as before.
  10. Clear the active alarms and the related logs information.
  11. Perform fRSmartComp configuration (if any) before the DISABLE timeout expires.
  12. If needed, unmask some alarms.
  13. Enable the fRSmartComp.
  14. Perform fRSmartComp configuration (if any) before the OD timeout expires. Acknowledge the fRSmartComp timeout.
  15. Acknowledge the fRSmartComp timeout.
RS_6 OD CPUs’ asynchronous reset when the fRSmartComp is in OD. Useful when a fault has occurred outside the CPU, but a CPU reset is needed.
  1. Check that the fRSmartComp state is OD.
  2. Reset the CPUs.
  3. Check that the fRSmartComp state is still OD.
Note: Reset scenario 6 (RS_6) is related to the availability concept of faults occurring outside the CPU and, thus, not included in the table. Altera recommends using Extended Reset Control option for RS_6.

Section Content
Basic Reset Control
Extended Reset Control

Related Information
Level Two Title