[go: up one dir, main page]

US20130007565A1 - Method of processing faults in a microcontroller - Google Patents

Method of processing faults in a microcontroller Download PDF

Info

Publication number
US20130007565A1
US20130007565A1 US13/536,712 US201213536712A US2013007565A1 US 20130007565 A1 US20130007565 A1 US 20130007565A1 US 201213536712 A US201213536712 A US 201213536712A US 2013007565 A1 US2013007565 A1 US 2013007565A1
Authority
US
United States
Prior art keywords
memory
error signal
control unit
circuit
read
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US13/536,712
Inventor
Vincent Onde
Dragos Davidescu
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
STMicroelectronics Rousset SAS
Original Assignee
STMicroelectronics Rousset SAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by STMicroelectronics Rousset SAS filed Critical STMicroelectronics Rousset SAS
Assigned to ST MICROELECTRONICS (ROUSSET) SAS reassignment ST MICROELECTRONICS (ROUSSET) SAS ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ONDE, VINCENT, DAVIDESCU, DRAGOS
Publication of US20130007565A1 publication Critical patent/US20130007565A1/en
Priority to US15/888,624 priority Critical patent/US10162701B2/en
Assigned to STMICROELECTRONICS (ROUSSET) SAS reassignment STMICROELECTRONICS (ROUSSET) SAS CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNEE'S NAME PREVIOUSLY RECORDED AT REEL: 028952 FRAME: 0783. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT. Assignors: ONDE, VINCENT, DAVIDESCU, DRAGOS
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/08Error detection or correction by redundancy in data representation, e.g. by using checking codes
    • G06F11/10Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's
    • G06F11/1008Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's in individual solid state devices
    • G06F11/1048Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's in individual solid state devices using arrangements adapted for a specific error detection or correction feature

Definitions

  • the present disclosure relates to the detection and processing of errors in a control unit.
  • the present disclosure applies particularly to apparatuses having power circuits controlled by a control unit executing a program stored in a memory.
  • Embodiments of the present disclosure can be applied to apparatuses such as household appliances, industrial systems, or medical equipment, having power circuits operating one or more electric actuators such as electric motors, solenoids, solenoid valves, etc.
  • apparatuses such as household appliances, industrial systems, or medical equipment, having power circuits operating one or more electric actuators such as electric motors, solenoids, solenoid valves, etc.
  • Such apparatuses generally have a control unit controlling the actuators according to one or more determined sequences.
  • the control unit of microcontroller type for example, is connected to or includes memories having at least one non-volatile memory storing a program executed by the control unit, and one non-volatile memory enabling the program to be executed.
  • Some standards such as IEC 60335 and IEC 60730 direct the memories of control units of household appliances to be tested so as to trigger, in the event that a fault is detected, the execution of a procedure for stopping the power circuits, stopping the actuators in particular, and shutting down the power circuits.
  • the memories are generally tested by the control unit which executes a test procedure as a background task of main tasks.
  • This test procedure generally involves saving the content of a memory zone to be tested in a free zone, writing a test word in all the locations of the zone to be tested, reading the words written in the zone to be tested, comparing each word read with the test word, and restoring the original content of the memory zone before testing another zone in the memory. If an error is detected, the stop procedure is executed.
  • This test procedure is undesirably slow and does not enable the detection of an error in memory reading by a main task.
  • the memory zone being tested cannot be a memory zone used by a main task, as its content is changed by the test procedure.
  • a memory reading error occurs during an operation of a main task, this error can only be detected much later, when testing the memory zone in which the reading error occurred.
  • the stop procedure will therefore only be executed well after the occurrence of the reading error.
  • the test procedure and thus the stop procedure may not be executed.
  • RAM volatile type
  • EEPROM electrically erasable programmable read-only memory
  • Flash non-volatile type
  • the interruption triggers the execution by the control unit of an interrupt routine including the procedure for stopping the power circuits.
  • the execution of the interrupt routine may be disabled due to an incorrect access to a word in the memory or due to a fault in the memory in which this routine is stored. The result is that the stop procedure may not be executed in the event that an error is detected by a memory.
  • Some embodiments relate to a method for processing faults in a control unit, the method including acts of: upon each request for reading a datum in a first memory, received by a first interface circuit for accessing the first memory, calculating by means of the first interface circuit a check word based on the datum read, if the check word calculated is different from a check word read in the memory in association with the datum read, activating an error signal by means of the first interface circuit, and sending the error signal to an output circuit of the control unit, without using any circuits of the control unit likely to send a request to access the first memory.
  • the method includes an act of applying a parity calculation by means of the first interface circuit to the datum read to calculate the check word.
  • the method includes acts of: upon each request for reading a datum in a second memory, received by a second interface circuit for accessing the second memory, detecting errors in the datum read by means of a second interface circuit for accessing the second memory, using error-correction bits read in the memory in association with the datum read, if non-correctable errors are detected in the datum read, by the second interface circuit, activating an error signal by means of the second interface circuit, and sending the error signal from the second interface circuit to the output circuit, without using any circuits of the control unit likely to send a request to access the second memory.
  • the output circuit receives at least one other error signal belonging to the assembly including a control unit power supply error signal, a comparison signal for comparing an input signal of the control unit with a threshold, a hardware error signal, an emergency stop manual trigger signal, and a system clock error signal of the control unit.
  • each error signal is sent to the output circuit if it is not masked by a masking circuit.
  • the method includes acts of initializing the masking circuit to an unmasked state in which each error signal is sent to the output circuit, of masking an error signal, and of prohibiting the unmasking of an error signal to send again an error signal that was masked.
  • the method includes an act of executing by means of the output circuit a procedure for stopping power circuits that are linked to the output circuit, triggered by the output circuit receiving an error signal.
  • Some embodiments also relate to a control unit having a first interface circuit for accessing a first memory, at least one circuit likely to send a request to access the first memory, and an output circuit, the control unit being configured to implement the method as described above.
  • the first memory is a volatile memory.
  • control unit includes a second interface circuit for accessing a second memory.
  • the second memory is a non-volatile memory.
  • the circuits of the control unit likely to send a request to access the first or the second memory, include a processing unit and possibly at least one transfer circuit for transferring data blocks to or from a memory.
  • control unit includes an error signal masking circuit configured to send only unmasked error signals to the output circuit.
  • the masking circuit is configured to receive at least one other error signal belonging to the assembly including a control unit power supply error signal, a comparison signal for comparing an input signal of the control unit with a threshold, a hardware error signal, an emergency stop manual trigger signal, and a system clock error signal of the control unit.
  • Some embodiments also relate to an apparatus having power circuits and a control unit as defined above, the output circuit (OLC) of the control unit being linked to the power circuits.
  • OLC output circuit
  • the output circuit is linked to the power circuits through power switches controlled by the output circuit, the output circuit being configured to execute a procedure for stopping the power circuits upon receiving each error signal.
  • FIG. 1 represents circuits of an apparatus having a control unit and power circuits, according to one embodiment
  • FIG. 2 represents a circuit of the control unit, according to one embodiment.
  • FIG. 1 represents circuits of an apparatus such as a household appliance.
  • the circuits represented in FIG. 1 include a control unit MC, power switches PSW controlled by the unit MC, and power circuits LDC connected to the switches PSW.
  • the unit MC includes a processing unit PU and a bus interconnection matrix BMX connected to the unit PU.
  • the unit MC may also include particularly one or more data block transfer circuits DMA 1 , DMA 2 for transferring data blocks to or from a memory, connected to the matrix BMX, and other circuits OBM which can request access to the matrix BMX.
  • the unit MC also includes a volatile memory VM, for example of RAM type, and a non-volatile memory NVM, for example of EEPROM or Flash type.
  • the memory VM is linked to the bus BMX through an interface circuit IVM carrying out a parity check in particular.
  • the memory NVM is linked to the bus BMX through an interface circuit INV particularly performing functions of detecting and correcting errors in the words read in the memory.
  • the unit MC may be a microcontroller or a microprocessor.
  • the memories NV, NVM may be internal or external to the unit MC.
  • the power switches PSW include for example Insulated Gate Bipolar Transistors (IGBT).
  • the circuit IVM is configured to calculate a check sum of CRC type (Cyclic Redundancy Check) for checking a word read in the memory VM and to compare the check sum calculated with a check sum stored in the memory VM in association with the word read. If the check sum calculated does not correspond to the one read in the memory VM in association with the word read, the circuit IVM activates the error signal PS.
  • the check sum is for example a parity calculation and supplies a result on one so-called “parity” bit. In this example, each word stored in the memory VM is thus associated with a parity bit.
  • the circuit INV is configured to implement an error detection and correction algorithm, for example an algorithm based on Hamming codes.
  • Each word stored in the memory NVM is associated with several parity bits the number of which is chosen according to the number of errors in a word likely to be corrected and to the number of errors likely to be detected. If the circuit INV detects errors on a word read that it is not able to correct, it activates an error signal ES.
  • the control unit MC also includes timers TMR generating timing signals or Pulse Width Modulation signals (PWM), and a logic control circuit OLC receiving output signals from the circuits TMR.
  • the circuit OLC includes outputs each connected to a control input of one of the power switches PSW.
  • the circuit OLC controls the switches PSW according to predetermined sequences paced using the signals from the timers TMR.
  • each of the error signals sent by the circuits IVM and INV is sent to a logic error management circuit FLC which can further receive error signals sent by other circuits (not illustrated) in the unit MC.
  • the circuit FLC is connected at output to an input of the circuit OLC provided for receiving a stop signal SS which controls the execution of stop sequences controlling the switches PSW to appropriately stop the various actuators of the power circuits LDC, and shut down the power supply of the power circuits.
  • the circuit FLC is configured to activate the stop signal SS, upon receiving an active error signal, and possibly to mask certain error signals so that they do not trigger the stop procedure.
  • FIG. 2 represents the logic circuit FLC according to one embodiment.
  • the circuit FLC includes a masking register MSK, several AND-type logic gates AG 1 -AG 7 , and one OR-type logic gate OG 1 .
  • Each gate AG 1 -AG 7 receives at an input a respective bit of a cell of the register MSK and at another input one of the error signals supplied at input of the circuit FLC.
  • the output of each gate AG 1 -AG 7 is connected at output to a respective input of the gate OG 1 .
  • the output of the gate OG 1 supplies the stop signal SS controlling the circuit OLC.
  • Each cell of the register MSK can thus take either a masked state (on 0 in the example in FIG.
  • the register MSK can be connected to the bus BMX to be write-accessible particularly by the unit PU.
  • the error signals include the signals PS, ES supplied by the circuits IVM and INV and may also include particularly an error signal PVD coming from a power supply supervision circuit in the unit MC, signals CMP coming from comparators provided to compare input signals of the unit MC with thresholds, hardware error signals HFT, an emergency stop manual trigger signal BKI, and a system clock error signal CKS of the unit MC.
  • the signal SS When the signal SS is active, it thus corresponds to at least one active and unmasked error signal.
  • each cell of the register MSK in the masked state prevents the execution of the stop sequence by the circuit OLC when the associated error signal becomes active.
  • the register MSK can be write-protected so as to authorize only each of its cells to change to the masked state, and thus prohibit their changing to the unmasked state.
  • Each cell of the register MSK can be initialized to the unmasked state when initializing the unit MC, then loaded by a masking word read in the memory NVM by a start-up procedure of the unit MC, executed for example by the unit PU. The program executed by the unit MC may then only change the cells of the register MSK to the masked state.
  • the present invention is not limited to the circuits described herein and also, for example, covers a control unit connected to external memories.
  • the control unit does not necessarily include a masking circuit. Indeed, in certain applications it may not be necessary to mask the error signals.
  • the control unit is not necessarily linked to power circuits.
  • the check of the parity of data read in a memory is not necessarily performed on a volatile memory, but may naturally be performed on a non-volatile memory.
  • the error detection and correction operations can also be performed on a volatile memory.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Techniques For Improving Reliability Of Storages (AREA)

Abstract

Embodiments described in the present disclosure relate to a method of processing faults in a control unit, the method including: upon each request for reading a datum in a first memory, received by a first interface circuit for accessing the first memory, calculating by means of the first interface circuit, a check word based on the datum read, if the check word calculated is different from a check word read in the memory in association with the datum read, activating an error signal by means of the first interface circuit, and sending the error signal to an output circuit of the control unit, without using any circuits of the control unit, likely to send a request to access the first memory.

Description

    BACKGROUND
  • 1. Technical Field
  • The present disclosure relates to the detection and processing of errors in a control unit. The present disclosure applies particularly to apparatuses having power circuits controlled by a control unit executing a program stored in a memory.
  • 2. Description of the Related Art
  • Embodiments of the present disclosure can be applied to apparatuses such as household appliances, industrial systems, or medical equipment, having power circuits operating one or more electric actuators such as electric motors, solenoids, solenoid valves, etc.
  • Such apparatuses generally have a control unit controlling the actuators according to one or more determined sequences. The control unit, of microcontroller type for example, is connected to or includes memories having at least one non-volatile memory storing a program executed by the control unit, and one non-volatile memory enabling the program to be executed.
  • Some standards such as IEC 60335 and IEC 60730 direct the memories of control units of household appliances to be tested so as to trigger, in the event that a fault is detected, the execution of a procedure for stopping the power circuits, stopping the actuators in particular, and shutting down the power circuits. The memories are generally tested by the control unit which executes a test procedure as a background task of main tasks. This test procedure generally involves saving the content of a memory zone to be tested in a free zone, writing a test word in all the locations of the zone to be tested, reading the words written in the zone to be tested, comparing each word read with the test word, and restoring the original content of the memory zone before testing another zone in the memory. If an error is detected, the stop procedure is executed.
  • This test procedure is undesirably slow and does not enable the detection of an error in memory reading by a main task. Indeed, the memory zone being tested cannot be a memory zone used by a main task, as its content is changed by the test procedure. As a result, if a memory reading error occurs during an operation of a main task, this error can only be detected much later, when testing the memory zone in which the reading error occurred. The stop procedure will therefore only be executed well after the occurrence of the reading error. In addition, if the reading error causes a malfunction in the control unit, the test procedure and thus the stop procedure may not be executed.
  • Some memories of volatile type (RAM) for example associate a parity bit with each word they store, and include an interface circuit proceeding with the test of this parity bit every time a word is read to detect possible parity errors. If such a parity error is detected when reading a word, the interface circuit sends an error signal. Furthermore, some memories of non-volatile type (e.g., EEPROM or Flash) associate error-correction bits with each word they store. When reading a word, an interface circuit of these memories uses the error-correction bits to correct the word read if necessary. If the errors affecting a word read are too extensive to be corrected, the interface circuit sends an error signal.
  • Using this error signal to generate an exception or an interruption in the control unit has already been proposed. The interruption triggers the execution by the control unit of an interrupt routine including the procedure for stopping the power circuits. However, the execution of the interrupt routine may be disabled due to an incorrect access to a word in the memory or due to a fault in the memory in which this routine is stored. The result is that the stop procedure may not be executed in the event that an error is detected by a memory.
  • It is therefore desirable to be able to detect a fault in a memory in the event of a faulty access to the memory by a main task executed by the control unit. It is also desirable to trigger the execution of the procedure for stopping the power circuits as soon as a fault is detected in a memory. It is also desirable to avoid busying the resources of the control unit with storing and executing test procedures, and to avoid burdening the development tasks of the program executed by the control unit with the need to develop such test procedures.
    • BRIEF SUMMARY
  • Some embodiments relate to a method for processing faults in a control unit, the method including acts of: upon each request for reading a datum in a first memory, received by a first interface circuit for accessing the first memory, calculating by means of the first interface circuit a check word based on the datum read, if the check word calculated is different from a check word read in the memory in association with the datum read, activating an error signal by means of the first interface circuit, and sending the error signal to an output circuit of the control unit, without using any circuits of the control unit likely to send a request to access the first memory.
  • According to one embodiment, the method includes an act of applying a parity calculation by means of the first interface circuit to the datum read to calculate the check word.
  • According to one embodiment, the method includes acts of: upon each request for reading a datum in a second memory, received by a second interface circuit for accessing the second memory, detecting errors in the datum read by means of a second interface circuit for accessing the second memory, using error-correction bits read in the memory in association with the datum read, if non-correctable errors are detected in the datum read, by the second interface circuit, activating an error signal by means of the second interface circuit, and sending the error signal from the second interface circuit to the output circuit, without using any circuits of the control unit likely to send a request to access the second memory.
  • According to one embodiment, the output circuit receives at least one other error signal belonging to the assembly including a control unit power supply error signal, a comparison signal for comparing an input signal of the control unit with a threshold, a hardware error signal, an emergency stop manual trigger signal, and a system clock error signal of the control unit.
  • According to one embodiment, each error signal is sent to the output circuit if it is not masked by a masking circuit.
  • According to one embodiment, the method includes acts of initializing the masking circuit to an unmasked state in which each error signal is sent to the output circuit, of masking an error signal, and of prohibiting the unmasking of an error signal to send again an error signal that was masked.
  • According to one embodiment, the method includes an act of executing by means of the output circuit a procedure for stopping power circuits that are linked to the output circuit, triggered by the output circuit receiving an error signal.
  • Some embodiments also relate to a control unit having a first interface circuit for accessing a first memory, at least one circuit likely to send a request to access the first memory, and an output circuit, the control unit being configured to implement the method as described above.
  • According to one embodiment, the first memory is a volatile memory.
  • According to one embodiment, the control unit includes a second interface circuit for accessing a second memory.
  • According to one embodiment, the second memory is a non-volatile memory.
  • According to one embodiment, the circuits of the control unit, likely to send a request to access the first or the second memory, include a processing unit and possibly at least one transfer circuit for transferring data blocks to or from a memory.
  • According to one embodiment, the control unit includes an error signal masking circuit configured to send only unmasked error signals to the output circuit.
  • According to one embodiment, the masking circuit is configured to receive at least one other error signal belonging to the assembly including a control unit power supply error signal, a comparison signal for comparing an input signal of the control unit with a threshold, a hardware error signal, an emergency stop manual trigger signal, and a system clock error signal of the control unit.
  • Some embodiments also relate to an apparatus having power circuits and a control unit as defined above, the output circuit (OLC) of the control unit being linked to the power circuits.
  • According to one embodiment, the output circuit is linked to the power circuits through power switches controlled by the output circuit, the output circuit being configured to execute a procedure for stopping the power circuits upon receiving each error signal.
    • BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS
  • Some examples of embodiments of the present disclosure will be described below in relation with, but not limited to, the following figures.
  • Non-limiting and non-exhaustive embodiments are described with reference to the following drawings, wherein like labels refer to like parts throughout the various views unless otherwise specified. The sizes and relative positions of elements in the drawings are not necessarily drawn to scale. For example, the shapes of various elements and angles are not drawn to scale, and some of these elements are enlarged and positioned to improve drawing legibility. Further, the particular shapes of the elements as drawn are not intended to convey any information regarding the actual shape of the particular elements and have been solely selected for ease of recognition in the drawings. One or more embodiments are described hereinafter with reference to the accompanying drawings in which:
  • FIG. 1 represents circuits of an apparatus having a control unit and power circuits, according to one embodiment;
  • FIG. 2 represents a circuit of the control unit, according to one embodiment.
    •  DETAILED DESCRIPTION
  • FIG. 1 represents circuits of an apparatus such as a household appliance.
  • The circuits represented in FIG. 1 include a control unit MC, power switches PSW controlled by the unit MC, and power circuits LDC connected to the switches PSW. The unit MC includes a processing unit PU and a bus interconnection matrix BMX connected to the unit PU. The unit MC may also include particularly one or more data block transfer circuits DMA1, DMA2 for transferring data blocks to or from a memory, connected to the matrix BMX, and other circuits OBM which can request access to the matrix BMX. The unit MC also includes a volatile memory VM, for example of RAM type, and a non-volatile memory NVM, for example of EEPROM or Flash type. The memory VM is linked to the bus BMX through an interface circuit IVM carrying out a parity check in particular. The memory NVM is linked to the bus BMX through an interface circuit INV particularly performing functions of detecting and correcting errors in the words read in the memory.
  • The unit MC may be a microcontroller or a microprocessor. The memories NV, NVM may be internal or external to the unit MC. The power switches PSW include for example Insulated Gate Bipolar Transistors (IGBT).
  • The circuit IVM is configured to calculate a check sum of CRC type (Cyclic Redundancy Check) for checking a word read in the memory VM and to compare the check sum calculated with a check sum stored in the memory VM in association with the word read. If the check sum calculated does not correspond to the one read in the memory VM in association with the word read, the circuit IVM activates the error signal PS. The check sum is for example a parity calculation and supplies a result on one so-called “parity” bit. In this example, each word stored in the memory VM is thus associated with a parity bit.
  • The circuit INV is configured to implement an error detection and correction algorithm, for example an algorithm based on Hamming codes. Each word stored in the memory NVM is associated with several parity bits the number of which is chosen according to the number of errors in a word likely to be corrected and to the number of errors likely to be detected. If the circuit INV detects errors on a word read that it is not able to correct, it activates an error signal ES.
  • The control unit MC also includes timers TMR generating timing signals or Pulse Width Modulation signals (PWM), and a logic control circuit OLC receiving output signals from the circuits TMR. The circuit OLC includes outputs each connected to a control input of one of the power switches PSW. The circuit OLC controls the switches PSW according to predetermined sequences paced using the signals from the timers TMR.
  • According to one embodiment, each of the error signals sent by the circuits IVM and INV is sent to a logic error management circuit FLC which can further receive error signals sent by other circuits (not illustrated) in the unit MC. The circuit FLC is connected at output to an input of the circuit OLC provided for receiving a stop signal SS which controls the execution of stop sequences controlling the switches PSW to appropriately stop the various actuators of the power circuits LDC, and shut down the power supply of the power circuits. The circuit FLC is configured to activate the stop signal SS, upon receiving an active error signal, and possibly to mask certain error signals so that they do not trigger the stop procedure.
  • FIG. 2 represents the logic circuit FLC according to one embodiment. The circuit FLC includes a masking register MSK, several AND-type logic gates AG1-AG7, and one OR-type logic gate OG1. Each gate AG1-AG7 receives at an input a respective bit of a cell of the register MSK and at another input one of the error signals supplied at input of the circuit FLC. The output of each gate AG1-AG7 is connected at output to a respective input of the gate OG1. The output of the gate OG1 supplies the stop signal SS controlling the circuit OLC. Each cell of the register MSK can thus take either a masked state (on 0 in the example in FIG. 2), or an unmasked state (on 1) authorizing the error signal associated by one of the gates AG1-AG7 with the cell to cause the activation of the stop signal SS and thus the execution of the stop sequence by the circuit OLC. The register MSK can be connected to the bus BMX to be write-accessible particularly by the unit PU. The error signals include the signals PS, ES supplied by the circuits IVM and INV and may also include particularly an error signal PVD coming from a power supply supervision circuit in the unit MC, signals CMP coming from comparators provided to compare input signals of the unit MC with thresholds, hardware error signals HFT, an emergency stop manual trigger signal BKI, and a system clock error signal CKS of the unit MC. When the signal SS is active, it thus corresponds to at least one active and unmasked error signal.
  • Therefore, each cell of the register MSK in the masked state prevents the execution of the stop sequence by the circuit OLC when the associated error signal becomes active. The register MSK can be write-protected so as to authorize only each of its cells to change to the masked state, and thus prohibit their changing to the unmasked state. Each cell of the register MSK can be initialized to the unmasked state when initializing the unit MC, then loaded by a masking word read in the memory NVM by a start-up procedure of the unit MC, executed for example by the unit PU. The program executed by the unit MC may then only change the cells of the register MSK to the masked state.
  • It will be understood by those skilled in the art that various alternative embodiments and various applications of the present invention are possible. In particular, the present invention is not limited to the circuits described herein and also, for example, covers a control unit connected to external memories. In addition, the control unit does not necessarily include a masking circuit. Indeed, in certain applications it may not be necessary to mask the error signals. Furthermore, the control unit is not necessarily linked to power circuits.
  • Moreover, the check of the parity of data read in a memory is not necessarily performed on a volatile memory, but may naturally be performed on a non-volatile memory. The error detection and correction operations can also be performed on a volatile memory.
  • The various embodiments described above can be combined to provide further embodiments. These and other changes can be made to the embodiments in light of the above-detailed description. In general, in the following claims, the terms used should not be construed to limit the claims to the specific embodiments disclosed in the specification and the claims, but should be construed to include all possible embodiments along with the full scope of equivalents to which such claims are entitled. Accordingly, the claims are not limited by the disclosure.

Claims (21)

1. A method to process faults in a control unit, the method comprising:
upon each request to read a datum in a first memory, received by a first interface circuit configured to access the first memory, calculating by the first interface circuit a check word based on the datum read;
if the calculated check word is different from a check word read in the first memory in association with the datum read, activating by the first interface circuit an error signal; and
sending the error signal to an output circuit of the control unit without using other circuits of the control unit configured to send a request to access the first memory.
2. A method according to claim 1, comprising applying a parity calculation by the first interface circuit to the datum read to calculate the check word.
3. A method according to claim 1, comprising:
upon each request for reading a second datum in a second memory, received by a second interface circuit configured to access the second memory, detecting errors in the second datum read by the second interface circuit using error-correction bits read in the second memory in association with the second datum read;
if non-correctable errors are detected by the second interface circuit in the second datum read, activating a second error signal by the second interface circuit; and
sending the second error signal from the second interface circuit to the output circuit without using other circuits of the control unit configured to send a request to access the second memory.
4. A method according to claim 1 wherein the output circuit is configured to receive at least one other error signal of a plurality of error signals, the at least one other error signal drawn from the group of a control unit power supply error signal, a comparison signal for comparing an input signal of the control unit with a threshold, a hardware error signal, an emergency stop manual trigger signal, and a system clock error signal of the control unit.
5. A method according to claim 4 wherein each error signal is sent to the output circuit if each respective error signal is not masked by a masking circuit.
6. A method according to claim 5, comprising:
initializing the masking circuit to an unmasked state wherein each respective error signal of the plurality of error signals is passable to the output circuit;
masking at least one of the plurality of error signals; and
prohibiting the unmasking of the at least one of the plurality of error signals to prevent being passable again to the output circuit the at least one of the plurality of error signals that was masked.
7. A method according to claim 1, comprising:
executing by the output circuit a procedure to stop power circuits linked to the output circuit, the procedure triggered by the output circuit receiving the error signal.
8. A control unit, comprising:
at least one circuit configured to send a request to read a datum in a first memory;
a first interface circuit configured to access the first memory, configured to calculate a check word based on the datum read, and configured, if the calculated check word is different from a check word read in the first memory in association with the datum read, to activate an error signal;
an output circuit; and
an error management circuit configured to send the error signal to the output circuit without using other circuits of the control unit that are configured to send the request to access the first memory.
9. A control unit according to claim 8 wherein the first memory is a volatile memory.
10. A control unit according to claim 8 comprising:
a second interface circuit configured to access a second memory.
11. A control unit according to claim 10 wherein the second memory is a non-volatile memory.
12. A control unit according to claim 10, comprising:
a plurality of circuits, each circuit of the plurality of circuits configured to send a request to access the first or the second memory, the plurality of circuits including a processing unit and at least one transfer circuit configured to transfer data blocks to or from the first memory or the second memory.
13. A control unit according to claim 8, comprising:
an error signal masking circuit configured to send only unmasked error signals to the output circuit.
14. A control unit according to claim 13 wherein the error signal masking circuit is configured to receive at least one other error signal of a plurality of error signals, the at least one other error signal drawn from the group of a control unit power supply error signal, a comparison signal for comparing an input signal of the control unit with a threshold, a hardware error signal, an emergency stop manual trigger signal, and a system clock error signal of the control unit.
15. An apparatus comprising:
power circuits;
power switches; and
a control unit, the control unit including:
an output circuit linked to the power circuits via the power switches; and
an interface circuit coupled to a memory, the interface circuit configured to read a datum in the memory and configured to read a check word in memory associated with the datum, the interface circuit configured to calculate a check word based on the datum, and the interface circuit configured, if the calculated check word is different from the read check word, to activate an error signal, the error signal configured for passage to at least one power switch.
16. An apparatus according to claim 15 wherein the output circuit is configured to execute a procedure to stop at least one power circuit upon receiving the error signal.
17. An apparatus according to claim 15, the control unit including:
a second interface circuit coupled to a second memory.
18. An apparatus according to claim 17 wherein at least one of the first memory and second memory is an external memory coupled to the apparatus.
19. An apparatus according to claim 17, the control unit including:
a plurality of circuits, each circuit of the plurality of circuits configured to send a request to access the first memory or the second memory, the plurality of circuits including a processing unit and at least one transfer circuit configured to transfer data blocks to or from the first memory or the second memory.
20. An apparatus according to claim 16, the control unit including:
an error signal masking circuit configured to send only unmasked error signals to the output circuit.
21. An apparatus according to claim 16 wherein the error signal masking circuit is configured to receive at least one other error signal of a plurality of error signals, the at least one other error signal drawn from the group of a control unit power supply error signal, a comparison signal for comparing an input signal of the control unit with a threshold, a hardware error signal, an emergency stop manual trigger signal, and a system clock error signal of the control unit.
US13/536,712 2011-06-28 2012-06-28 Method of processing faults in a microcontroller Abandoned US20130007565A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US15/888,624 US10162701B2 (en) 2011-06-28 2018-02-05 MCU with processor-independent memory fault detection

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
FR1155727 2011-06-28
FR1155727A FR2977340B1 (en) 2011-06-28 2011-06-28 METHOD FOR PROCESSING FAILURES IN A MICROCONTROLLER

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US15/888,624 Continuation US10162701B2 (en) 2011-06-28 2018-02-05 MCU with processor-independent memory fault detection

Publications (1)

Publication Number Publication Date
US20130007565A1 true US20130007565A1 (en) 2013-01-03

Family

ID=47391977

Family Applications (2)

Application Number Title Priority Date Filing Date
US13/536,712 Abandoned US20130007565A1 (en) 2011-06-28 2012-06-28 Method of processing faults in a microcontroller
US15/888,624 Active US10162701B2 (en) 2011-06-28 2018-02-05 MCU with processor-independent memory fault detection

Family Applications After (1)

Application Number Title Priority Date Filing Date
US15/888,624 Active US10162701B2 (en) 2011-06-28 2018-02-05 MCU with processor-independent memory fault detection

Country Status (2)

Country Link
US (2) US20130007565A1 (en)
FR (1) FR2977340B1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107682404A (en) * 2017-09-07 2018-02-09 国营芜湖机械厂 A kind of multiple protocol environment testing equipment remote-control system and its control method

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109710525A (en) * 2018-12-24 2019-05-03 斑马网络技术有限公司 Interface detection method, device and the equipment of micro-control unit based on vehicle device

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4211997A (en) * 1978-11-03 1980-07-08 Ampex Corporation Method and apparatus employing an improved format for recording and reproducing digital audio
US5915082A (en) * 1996-06-07 1999-06-22 Lockheed Martin Corporation Error detection and fault isolation for lockstep processor systems
US6012148A (en) * 1997-01-29 2000-01-04 Unisys Corporation Programmable error detect/mask utilizing bus history stack
US6092231A (en) * 1998-06-12 2000-07-18 Qlogic Corporation Circuit and method for rapid checking of error correction codes using cyclic redundancy check
US20040090323A1 (en) * 2001-11-09 2004-05-13 Mathias Bieringer Method and device for treating suspected errors
US20060069948A1 (en) * 2004-09-09 2006-03-30 Jong-Cheol Seo Error detecting memory module and method
US20060067097A1 (en) * 2004-09-24 2006-03-30 Chuen-Der Lien Binary and ternary non-volatile CAM
US20070180317A1 (en) * 2006-01-16 2007-08-02 Teppei Hirotsu Error correction method
US20090183051A1 (en) * 2008-01-14 2009-07-16 Qimonda Ag Memory System with Cyclic Redundancy Check
US20100287426A1 (en) * 2009-05-11 2010-11-11 Nec Electronics Corporation Memory checking system and method
US20110022903A1 (en) * 2008-03-14 2011-01-27 Airbus Operations (Sas) Device enabling the use of a programmable component in a natural radiative environment
US20120110411A1 (en) * 2010-10-29 2012-05-03 Brocade Communications Systems, Inc. Content Addressable Memory (CAM) Parity And Error Correction Code (ECC) Protection

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6003146A (en) * 1997-11-10 1999-12-14 Honeywell Inc. Method and apparatus of applying CRC to arinc 429 periodic data
US6802039B1 (en) * 2000-06-30 2004-10-05 Intel Corporation Using hardware or firmware for cache tag and data ECC soft error correction
US7036059B1 (en) * 2001-02-14 2006-04-25 Xilinx, Inc. Techniques for mitigating, detecting and correcting single event upset effects in systems using SRAM-based field programmable gate arrays
GB2377142A (en) * 2001-06-29 2002-12-31 Motorola Inc Encoder for generating an error checkword
US7196562B1 (en) * 2003-08-26 2007-03-27 Integrated Device Technology, Inc. Programmable clock drivers that support CRC error checking of configuration data during program restore operations
US7246289B2 (en) * 2003-09-30 2007-07-17 Nortel Networks Limited Memory integrity self checking in VT/TU cross-connect
US20070019805A1 (en) * 2005-06-28 2007-01-25 Trustees Of Boston University System employing systematic robust error detection coding to protect system element against errors with unknown probability distributions

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4211997A (en) * 1978-11-03 1980-07-08 Ampex Corporation Method and apparatus employing an improved format for recording and reproducing digital audio
US5915082A (en) * 1996-06-07 1999-06-22 Lockheed Martin Corporation Error detection and fault isolation for lockstep processor systems
US6012148A (en) * 1997-01-29 2000-01-04 Unisys Corporation Programmable error detect/mask utilizing bus history stack
US6092231A (en) * 1998-06-12 2000-07-18 Qlogic Corporation Circuit and method for rapid checking of error correction codes using cyclic redundancy check
US20040090323A1 (en) * 2001-11-09 2004-05-13 Mathias Bieringer Method and device for treating suspected errors
US20060069948A1 (en) * 2004-09-09 2006-03-30 Jong-Cheol Seo Error detecting memory module and method
US20060067097A1 (en) * 2004-09-24 2006-03-30 Chuen-Der Lien Binary and ternary non-volatile CAM
US20070180317A1 (en) * 2006-01-16 2007-08-02 Teppei Hirotsu Error correction method
US20090183051A1 (en) * 2008-01-14 2009-07-16 Qimonda Ag Memory System with Cyclic Redundancy Check
US20110022903A1 (en) * 2008-03-14 2011-01-27 Airbus Operations (Sas) Device enabling the use of a programmable component in a natural radiative environment
US20100287426A1 (en) * 2009-05-11 2010-11-11 Nec Electronics Corporation Memory checking system and method
US20120110411A1 (en) * 2010-10-29 2012-05-03 Brocade Communications Systems, Inc. Content Addressable Memory (CAM) Parity And Error Correction Code (ECC) Protection

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Field-programmable gate array, http://en.wikipedia.org/w/index.php?title=Field-programmable_gate_array&oldid=655682022 (last visited Dec. 11, 2016), 14 pages. *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107682404A (en) * 2017-09-07 2018-02-09 国营芜湖机械厂 A kind of multiple protocol environment testing equipment remote-control system and its control method

Also Published As

Publication number Publication date
FR2977340B1 (en) 2013-07-12
US10162701B2 (en) 2018-12-25
US20180157556A1 (en) 2018-06-07
FR2977340A1 (en) 2013-01-04

Similar Documents

Publication Publication Date Title
CN104035843B (en) For improving the system and method for lock-step core availability
US7321989B2 (en) Simultaneously multithreaded processing and single event failure detection method
US5577199A (en) Majority circuit, a controller and a majority LSI
CA1235816A (en) Error recovery system in a data processor having a control storage
US10657010B2 (en) Error detection triggering a recovery process that determines whether the error is resolvable
TWI529735B (en) Ecc method for double pattern flash memory
EP2770507B1 (en) Memory circuits, method for accessing a memory and method for repairing a memory
CN103140841A (en) Methods and apparatus to protect segments of memory
US11494256B2 (en) Memory scanning operation in response to common mode fault signal
US10114356B2 (en) Method and apparatus for controlling a physical unit in an automation system
US20130326285A1 (en) Stress-based techniques for detecting an imminent read failure in a non-volatile memory array
CN105320579B (en) Towards the selfreparing dual redundant streamline and fault-tolerance approach of SPARC V8 processors
CN108630284B (en) Memory protection circuit testing and memory scrubbing using memory built-in self-test
EP3525210B1 (en) Data register monitoring
CN111033470A (en) Ensuring correct program sequence in dual processor architecture
CN105260256B (en) A kind of fault detect of duplication redundancy streamline and backing method
US10162701B2 (en) MCU with processor-independent memory fault detection
US20090249174A1 (en) Fault Tolerant Self-Correcting Non-Glitching Low Power Circuit for Static and Dynamic Data Storage
KR20200062443A (en) Method for self diagnosis of ram error detection logic in powertrain ecu system and apparatus thereof
KR20050121729A (en) Program-controlled unit and method
CN103377707A (en) Erasing a non-volatile memory (nvm) system having error correction code (ecc)
KR102775610B1 (en) Multi module control apparatus with pipeline error verification
US20090024908A1 (en) Method for error registration and corresponding register
JP2016066344A (en) Memory diagnostic circuit
CN205193787U (en) Fault detection of duplication redundancy assembly line reaches back and moves back device

Legal Events

Date Code Title Description
AS Assignment

Owner name: ST MICROELECTRONICS (ROUSSET) SAS, FRANCE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:ONDE, VINCENT;DAVIDESCU, DRAGOS;SIGNING DATES FROM 20120723 TO 20120820;REEL/FRAME:028952/0783

AS Assignment

Owner name: STMICROELECTRONICS (ROUSSET) SAS, FRANCE

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNEE'S NAME PREVIOUSLY RECORDED AT REEL: 028952 FRAME: 0783. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNORS:ONDE, VINCENT;DAVIDESCU, DRAGOS;SIGNING DATES FROM 20120723 TO 20120820;REEL/FRAME:045279/0685

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION