Reconfiguration control device

Abstract

In the invention, a problem is solved in which, in order to achieve high performance and high reliability with the conventional multi-core and lockstep core, a redundant lockstep core is necessarily prepared to execute a multi-core program in which an error has occurred, a circuit area increases, and a cost and a power consumption increase. In the invention, a safe operation of a control system is secured by operating a software program operating on a multi-core in which an error has occurred as degenerate software on a core switched from a lockstep operation to a multi-core operation.

Claims

1. A reconfiguration control device comprising: a multi-core; a lockstep core; and a system control part that dynamically switches the lockstep core to a first core and a second core, wherein the system control part dynamically switches the lockstep core to a multi-core operation when an error occurs in the multi-core, and the system control part instructs restart and diagnosis of the multi-core while a software that was operating on the multi-core is operating on the first core.

2. The reconfiguration control device according to claim 1, wherein the system control part includes a reconfiguration control part that outputs a selection signal based on values of a control output from the multi-core and a control output from the lockstep core, and a multiplexer that selects from the control output from the multi-core and the control output from the lockstep core according to a value of the selection signal.

3. The reconfiguration control device according to claim 2, wherein the reconfiguration control part includes a nonvolatile memory in which the software is arranged, and reads binary data of degenerate software from the nonvolatile memory based on the values of the control output from the multi-core and the control output from the lockstep core.

4. The reconfiguration control device according to claim 1, wherein the system control part selects and outputs a control output from the first core instead of a control output from the multi-core when the error occurs in the multi-core.

5. A reconfiguration control device comprising: a multi-core; a first lockstep core; a second lockstep core; and a system control part that dynamically switches the first lockstep core to a first core and a second core, wherein the system control part dynamically switches the first lockstep core to a multi-core operation when an error occurs in the multi-core, and the system control part instructs restart and diagnosis of the multi-core while a software that was operating on the multi-core is operating on the first core.

6. The reconfiguration control device according to claim 5, wherein the system control part includes a reconfiguration control part that outputs a selection signal based on values of a control output from the multi-core and a control output from the first lockstep core, and a multiplexer that selects from the control output from the multi-core and the control output from the first lockstep core according to a value of the selection signal.

7. The reconfiguration control device according to claim 6, wherein the reconfiguration control part includes a nonvolatile memory in which the software is arranged, and reads binary data of degenerate software from the nonvolatile memory based on the values of the control output from the multi-core and the control output from the first lockstep core.

8. The reconfiguration control device according to claim 5, wherein the system control part selects and outputs a control output from the first core instead of a control output from the multi-core when the error occurs in the multi-core.

Description

BRIEF DESCRIPTION OF DRAWINGS

(1) FIG. 1 is an example of a configuration for performing a multi-core operation and a lockstep operation in a reconfiguration control device of the invention in a first embodiment.

(2) FIG. 2 is an example of a configuration method of a system control part in the reconfiguration control device according to the first embodiment.

(3) FIG. 3 is an example of a configuration method of a reconfiguration control part in the reconfiguration control device of the first embodiment.

(4) FIG. 4 is an example illustrating a configuration when the lockstep operation is switched to the multi-core operation in the reconfiguration control device of the first embodiment.

(5) FIG. 5 is an example illustrating a timing chart in which software operates in the configuration of FIG. 4.

(6) FIG. 6 is an example of a configuration for performing a multi-core operation and a lockstep operation in the reconfiguration control device of the invention in a second embodiment.

(7) FIG. 7 is an example of a configuration method of a system control part in the reconfiguration control device of the second embodiment.

(8) FIG. 8 is an example of a configuration method of a reconfiguration control part in the reconfiguration control device of the second embodiment.

(9) FIG. 9 is an example illustrating a configuration when the lockstep operation is switched to the multi-core operation in the reconfiguration control device of the second embodiment.

(10) FIG. 10 is an example illustrating a timing chart in which software operates in the configuration of FIG. 9.

(11) FIG. 11 is an example of a configuration for performing a multi-core operation and a lockstep operation in the reconfiguration control device of the invention in a third embodiment.

(12) FIG. 12 is an example illustrating a configuration when the lockstep operation is switched to the multi-core operation in the reconfiguration control device of the third embodiment.

(13) FIG. 13 is a view illustrating an example when the reconfiguration control device of the invention is applied to an in-vehicle system.

(14) FIG. 14 is a view illustrating an example when the reconfiguration control device of the invention is applied to an industrial control system.

DESCRIPTION OF EMBODIMENTS

(15) Hereinafter, embodiments of the invention will be described using the drawings.

First Embodiment

(16) An example of an embodiment of the invention will be described with reference to FIGS. 1 to 5.

(17) FIG. 1 illustrates an example of a reconfiguration control device of the invention.

(18) In the reconfiguration control device illustrated in FIG. 1, four cores 10, 11, 12, and 13 are configured to be a multi-core. The core 10 is connected to a memory 50, and the software of the core 10 is arranged in the memory 50 and performs processing. Similarly, the core 11 is connected to a memory 51, the core 12 is connected to a memory 52, and the core 13 is connected to a memory 53, and each software is arranged in the memory and performs processing. In the example of FIG. 1, software A (30) is arranged in the memories 50 and 51, and multi-core operation is performed in the cores 10 and 11. On the other hand, the software B (31) is arranged only in the memory 52 and operates on the core 12, and similarly the software C (32) is arranged only in the memory 53 and operates on the core 13. These cores 10, 11, 12, 13, memories 50, 51, 52, 53, software A (30), software B (31), and software C (32) are collectively referred to as a multi-core system 2 here. Cores 20 and 21 configure a lockstep (LS). That is, the cores 20 and 21 share a memory 60, the core 20 operates software P (33), the core 21 operates the same software P (34) as the software P (33), and occurrence of an error is detected by collating during the operation. These cores 20 and 21, memory 60, software P (33), and software P (34) are collectively referred to as a lockstep core system 3 here.

(19) As a core error detection unit, a technology such as parity, ECC (Error Correction Code), and watchdog timer are known. Further, a technology described in JP 3175896 B2 (PTL 3) is known as a collation method during the lockstep operation.

(20) Further, in a system control part 6 illustrated in FIG. 1, a control output 100, a control output 101, a control output 102, a control output 103, a control output 111, and a control output 110 are input from the core 10, the core 11, the core 12, the core 13, the core 20, and the core 21, respectively. A reset signal 70, a reset signal 71, a reset signal 72, a reset signal 73, a switching control signal 81, and a switching control signal 80 are output to the core 10, the core 11, the core 12, the core 13, the core 20, and the core 21, respectively. Control outputs 104, 105, 106, 107, and 113 are output to the outside of a control unit 1.

(21) FIG. 2 illustrates an example of a detailed configuration method of the system control part 6 illustrated in FIG. 1.

(22) In a reconfiguration control part 8 inside the system control part 6, the control signals 100, 101, 102, 103, and 110 are input, the reset signals 70, 71, 72, and 73 and the switching control signals 81 and 80 are output, and further the selection signal 120 is output.

(23) The multiplexer 90 selects one control output of the control outputs 100, 101, 102, 103, 111, and 110 according to the value of the selection signal 120 and outputs the selected control output as a control output 104. The same applies to multiplexers 91, 92, 93, and 94.

(24) FIG. 3 illustrates an example of a detailed configuration method of the reconfiguration control part 8 illustrated in FIG. 2.

(25) In a nonvolatile memory 200 illustrated in FIG. 3, software that operates in a multi-core system and a lockstep core system is arranged.

(26) A control output selection part 201 receives the control outputs 100, 101, 102, and 103 and the control output 110 and outputs a memory access signal 211 to the nonvolatile memory 200. The memory access signal 211 is a signal for reading binary data 210 of the software from the nonvolatile memory 200. For example, when an error occurs in the core 13 in FIG. 1, the error information in the core 13 is input to the control output selection part 201 by the control output 103, and the control output selection part 201 outputs the memory access signal 211 so as to read the binary data 210 of the degenerate software corresponding to the software C (32) from the nonvolatile memory 200.

(27) The binary data 210 read from the nonvolatile memory 200 is combined with a core enable signal 212 output from the control output selection part 201 by the signal combining circuit 202 and output to the cores 20 and 21 as the switching control signals 81 and 80.

(28) The control output selection part 201 outputs a selection signal 120. The selection signal 120 is a signal for selecting the respective control outputs 104, 105, 106, 107, and 113 output from the multiplexers 90, 91, 92, 93, and 94 illustrated in FIG. 2. For example, when an error occurs in the core 13 in FIG. 1, the control output 111 is selected and output to the control output 107 illustrated in FIG. 2 by the selection signal 120 described in FIG. 3. The other multiplexer 90 selects the control output 100 and outputs the control output as the control output 104, the multiplexer 91 selects the control output 101 and outputs the control output as the control output 105, the multiplexer 92 selects the control output 102 and outputs the control output as the control output 106, and the multiplexer 94 selects the control output 110 and outputs the control output as the control output 113.

(29) FIG. 4 is an example illustrating a configuration of a case where the lockstep operation is switched to the multi-core operation in the reconfiguration control device of the invention in the first embodiment and is different in that the lockstep core is switched from the lockstep operation to the multi-core operation mode, and the software arranged on the memory is replaced compared with the reconfiguration control device illustrated in FIG. 1.

(30) In the control unit 1 of FIG. 4, an example is illustrated in which an error occurs in the core 13 in the multi-core system 2 and the software C (32) becomes inoperable.

(31) According to the control output 103 from the core 13 in which an error has occurred, the cores 20 and 21 are switched from the lockstep operation mode to the multicore operation mode by the switching control signals 81 and 80 from the system control part 6 by the reconfiguration control part 8 described in FIG. 3, and the degenerate software C (35) corresponding to the software C (32) is arranged in the memory 60.

(32) At this time, the selection signal 120 is output from the reconfiguration control part 8 described with reference to FIG. 2 such that the control output 103 from the core 13 in which an error has occurred is not output to the outside of the control unit 1 as the control output 107, and the control output 111 of the core 20 in which the degenerate software C (35) is operating is output as the control output 107.

(33) FIG. 5 is an example illustrating a timing chart of the software operating in the multi-core system and the lockstep core system in the reconfiguration control device illustrated in FIG. 4.

(34) In control cycle S1, the software A (30) operates on the cores 10 and 11 of the multi-core system 2, the software B (31) operates on the core 12 following the software A (30), and further the software C (32) subsequently operates on the core 13.

(35) In the same control cycle S1, the software P (33) operates on the core 20 of lockstep core system 3, the software P (34) operates on the core 21, and the software P (33) and software P (34) perform a collation process during operation.

(36) Control cycle S2 in FIG. 5 is the same operation as control cycle S1.

(37) In control cycle S3 in FIG. 5, when an error occurs in the core 13, and the software C (32) becomes inoperable, the degenerate operation described in FIG. 4 causes the core 20 to operate the degenerate software C (35), and the core 13 performs a return process by a reset signal 73 from the system control part 6.

(38) As described above, even if an error occurs in the core 13, the software A (30), software B (31), degenerate software C (35), and software P (34) can operate in the control cycle S3, and thus a process can continue as a whole system while degenerating without stopping.

(39) FIG. 5 illustrates an example in which the return process is performed to the control cycle S4 and a return is made at the control cycle S5. Therefore, in the control cycle S5, the software C (32) operates again in the core 13, and the software P (33) that operates in the core 20 of the lockstep core system 3 and the software P (34) that operates in the core 21 perform a collation process. By adopting such a configuration, even if an error occurs in the multi-core, the degenerate software can be operated by switching the already mounted lockstep core to the multi-core operation, and thus the operation of the control system can continue without requiring additional hardware cost.

(40) In the first embodiment, the number of cores of the multi-core system is described as four. However, the number of cores is not limited to four and may be implemented with various numbers of cores.

Second Embodiment

(41) Next, an example of another embodiment of the invention will be described with reference to FIGS. 6 to 10.

(42) Compared to FIG. 1 of the first embodiment in the reconfiguration control device of the present invention, FIG. 6 is different in that one lockstep core system is added to form a dual lockstep core system configuration. In FIG. 6, a lockstep core system 4 including the cores 22 and 23, the memory 61, the software P (36), and the software P (37) is provided in addition to the lockstep core system 3 including the cores 20 and 21, the memory 60, the software P (33), and the software P (34). Similarly to the lockstep core system 3, in the lockstep core system 4, the cores 22 and 23 shares the memory 61, and the software P (36) operates on the core 22, the same software P (37) as the software P (36) operates on the core 23, and the collation is performed during operation to detect the occurrence of an error. Furthermore, compared to the system control part 6 described in FIG. 1, the system control part 7 illustrated in FIG. 6 has an addition in that the control output 115 and the control output 112 are input from the core 22 and the core 23, respectively, the switching control signal 83 and the switching control signal 82 are output to the core 22 and the core 23, respectively, and further the control output 114 is output to the outside of a control unit 5.

(43) FIG. 7 illustrates an example of a detailed configuration method of the system control part 7 illustrated in FIG. 6 and is different in that the multiplexer and the control signal corresponding to the dual lockstep core system configuration are added compared to the system control part 6 described in FIG. 2.

(44) The multiplexer 90 selects one control output of the control outputs 100, 101, 102, 103, 111, 110, 115, and 112 according to the value of the selection signal 120 and outputs the selected control output as a control output 104. The same applies to the multiplexers 91, 92, 93, and 94 and the newly added multiplexer 95.

(45) FIG. 8 illustrates an example of a detailed configuration method of the reconfiguration control part 9 illustrated in FIG. 7 and is different in that the control output and the switching control signal corresponding to the dual lockstep core system configuration are added compared to the reconfiguration control part 8 described in FIG. 3.

(46) A control output selection part 203 in FIG. 8 receives the control outputs 100, 101, 102, and 103 and the control outputs 110 and 112 and outputs a memory access signal 211 to the nonvolatile memory 200. Thus, the same operation as that of the control output selection part 201 described in FIG. 3 is performed.

(47) The binary data 210 read from the nonvolatile memory 200 is combined with the core enable signal 212 output from the control output selection part 203 by the signal combining circuit 202, the switching control signals 81 and 80 are output to the cores 20 and 21, and the switching signals 83 and 82 are output to the cores 22 and 23.

(48) FIG. 9 is an example illustrating a configuration of a case where the lockstep operation is switched to the multi-core operation in the reconfiguration control device of the invention in the second embodiment and is different in that the lockstep core is switched from the lockstep operation to the multi-core operation mode, and the software arranged on the memory is replaced compared with the reconfiguration control device illustrated in FIG. 6.

(49) In the control unit 5 of FIG. 9, an example is illustrated in which an error occurs in the core 13 in the multi-core system 2, and the software C (32) becomes inoperable.

(50) According to the control output 103 from the core 13 in which an error has occurred, the cores 20 and 21 are switched from the lockstep operation mode to the multicore operation mode by the switching control signals 81 and 80 from the system control part 7 by the reconfiguration control part 8 described in FIG. 3, and the degenerate software C (35) corresponding to the software C (32) is arranged in the memory 60.

(51) At this time, the selection signal 120 is output from the reconfiguration control part 9 described with reference to FIG. 7 such that the control output 103 from the core 13 in which an error has occurred is not output to the outside of the control unit 5 as the control output 107, and the control output 111 of the core 20 in which the degenerate software C (35) is operating is output as the control output 107.

(52) FIG. 10 is an example illustrating a timing chart of the software operating in the multi-core system and the lockstep core system in the reconfiguration control device illustrated in FIG. 9 and is different in that the lockstep core system 4 is added compared to the timing chart described in FIG. 5.

(53) In control cycle S3 in FIG. 10, when an error occurs in the core 13, and the software C (32) becomes inoperable, the degenerate operation described in FIG. 9 causes the core 20 to operate the degenerate software C (35), and in the core 13, a return process is performed by a reset signal 73 from the system control part 7.

(54) As described above, even if an error occurs in the core 13, the software A (30), software B (31), degenerate software C (35), and software P (34) can operate in the control cycle S3, and thus a process can continue as a whole system while degenerating without stopping.

(55) In FIG. 10, the software P (36) operates on the core 22 of the lockstep core system 4, the software P (37) operates on the core 23, and the software P (36) and the software P (37) perform a collation process during operation.

(56) As described above, by configuring the reconfiguration control device of the invention as a dual lockstep core system, even if an error occurs in one lockstep core system and the operation is switched to the multi-core operation, another lockstep core system can continue the lockstep operation. Thus, for example, the invention can be applied to a system that requires high reliability, for example, that requires compliance with functional safety standards.

(57) In the second embodiment, the number of cores of the multi-core system is described as four. However, the number of cores is not limited to four and may be implemented with various numbers of cores.

Third Embodiment

(58) Next, an example of another embodiment of the invention will be described with reference to FIGS. 11 and 12.

(59) FIG. 11 is different from FIG. 1 of the first embodiment in the reconfiguration control device of the invention in that the multi-core system and the lockstep core system are separated to be connected by a bus.

(60) The system control part 16 in FIG. 11 corresponds to the multi-core system 2, the system control part 17 corresponds to the lockstep core system 3, the system control parts 16 and 17 are connected by the control bus 301 and the memory bus 302, and the nonvolatile memory 300 is connected to the memory bus 302. Similarly to the internal configuration of the system control part 6 described with reference to FIG. 2, the internal configuration of the system control parts 16 and 17 includes a multiplexer and a reconfiguration control part. FIG. 12 is an example illustrating a configuration of a case where the lockstep operation is switched to the multi-core operation in the reconfiguration control device of the invention in the third embodiment and is different in that the lockstep core is switched from the lockstep operation to the multi-core operation mode, and the software arranged on the memory is replaced compared with the reconfiguration control device illustrated in FIG. 11.

(61) In the control units 14 and 15 of FIG. 12, an example is illustrated in which an error occurs in the core 13 in the multi-core system 2, and the software C (32) becomes inoperable.

(62) According to the control output 103 from the core 13 in which an error has occurred, the cores 20 and 21 are switched from the lockstep operation mode to the multicore operation mode by the switching control signals 81 and 80 from the system control part 17 by the reconfiguration control part 16, and the degenerate software C (35) corresponding to the software C (32) is arranged in the memory 60 from the nonvolatile memory 300 via the memory bus 302.

(63) At this time, the reconfiguration control parts 16 and 17 output selection signals such that the control output 103 from the core 13 in which an error has occurred is not output to the outside of the control unit 14 as the control output 107, and the control output 111 of the core 20 in which the degenerate software C (35) is operating is output as the control output 107. By adopting such a configuration, even when the control system must be configured by a plurality of control units, between a control unit having only a multi-core configuration and a control unit having only a lockstep core configuration, the lockstep core can be switched to the multi-core operation to operate the degenerate software. Thus, the operation of the control system can continue without requiring redundant additional hardware costs.

(64) In the example of the third embodiment, the number of cores of the multi-core system is described as four. However, the number of cores is not limited to four and may be implemented with various numbers of cores.

Fourth Embodiment

(65) Next, an example of another embodiment of the invention will be described with reference to FIG. 13. FIG. 13 illustrates an example when the reconfiguration control device of the invention is applied to an in-vehicle system.

(66) The interior of the automobile 500 is configured by connecting a plurality of electronic control units (Electronic Control Unit, ECU). In this automobile 500, a camera 501 is connected to a camera ECU (511), a steer 502 is connected to a steer ECU (512), a motor 503 is connected to a motor ECU (513), and each ECU of the camera ECU (511), the steer ECU (512), and the motor ECU (513) is connected to an integrated ECU (514) and performs control as an automobile by operating in a coordinated manner.

(67) In this configuration, for example, in a case where an error occurs in the steer ECU (512), in the reconfiguration control device of the invention, when the software 40 operating in the steer ECU (512) is operated as the degenerate software 41 in the integrated ECU (514), the minimum operation for which the steer ECU (512) is responsible is continued, and when the rotation of the front wheels 504 and the rear wheels 505 is continued or stopped depending on the surrounding conditions, a safe operation is secured as the whole automobile 500.

(68) As described above, by applying the reconfiguration control device of the invention, even in a case where an error occurs in a part of the ECUs configuring the automobile, a safety can be maintained as a whole automobile while performing a degenerate operation.

Fifth Embodiment

(69) Next, an example of another embodiment of the invention will be described with reference to FIG. 14. FIG. 14 illustrates an example when the reconfiguration control device of the invention is applied to an industrial control system.

(70) This industrial control system includes a computer 600 that controls the system as a whole, a control controller 601 that is controlled by the computer 600, a programmable logic controller 602 that controls a control equipment 604, and a programmable logic controller 603 that controls a control equipment 605. The control controller 601 and the programmable logic controllers 602 and 603 are each connected via a control network 606.

(71) In this configuration, for example, in a case where an error occurs in the programmable logic controller 602, when the reconfiguration control device of the invention causes the software 42 operating in the programmable logic controller 602 to operate as the degenerate software 43 in the control controller 601 via the control network 606, the minimum operation for which the programmable logic controller 602 is responsible is continued, and when the operation of the control equipment 604 is continued or stopped safely, a safe operation is secured as the whole industrial control system.

(72) As described above, the reconfiguration control device of each embodiment includes a multi-core, a lockstep core, and a system control part that dynamically switches the lockstep core to a first core and a second core. The system control part dynamically switches the lockstep core to a multi-core operation when an error occurs in the multi-core, and the system control part instructs restart and diagnosis of the multi-core while the software operating on the multi-core is operating on the first core.

(73) The system control part includes a reconfiguration control part that outputs a selection signal based on values of a control output from the multi-core and a control output from the lockstep core, and a multiplexer that selects a control output from the multi-core and a control output from the lockstep core according to a value of the selection signal.

(74) The reconfiguration control part includes a nonvolatile memory in which the software is arranged, and reads binary data of degenerate software from the nonvolatile memory based the values of the control output from the multi-core and the control output from the lockstep core.

(75) The system control part selects and outputs a control output from the first core instead of the control output from the multi-core when an error occurs in the multi-core.

(76) A multi-core, a first lockstep core, a second lockstep core, and a system control part which dynamically switches the first lockstep core to the first core and the second core are provided. The system control part dynamically switches the first lockstep core to the multi-core operation when an error occurs in the multi-core, and the system control part instructs restart and diagnosis of the multi-core while the software operating on the multi-core is operating on the first core.

(77) As described above, by applying the reconfiguration control device of each embodiment, even in a case where an error occurs in a part of the controllers constituting the industrial control system, a safety can be maintained as a whole system while performing a degenerate operation.

(78) Incidentally, the invention is not limited to the embodiments described above but includes various modifications. For example, the above-described embodiments have been described in detail for easy understanding of the invention, and are not necessarily limited to those having all the described configurations. Also, a part of the configuration of one embodiment can be replaced with the configuration of another embodiment, and the configuration of another embodiment can be added to the configuration of one embodiment. In addition, it is possible to add, delete, and replace other configurations for a part of the configuration of each embodiment.

REFERENCE SIGNS LIST

(79) 1, 5, 14, 15 control unit 2 multi-core system 3, 4 lockstep core system 6, 7, 16, 17 system control part 8, 9 reconfiguration control part 10, 11, 12, 13, 20, 21, 22, 23 core 50, 51, 52, 53, 60, 61 memory 90, 91, 92, 93, 94, 95 multiplexer 200, 300 nonvolatile memory 200 signal combining circuit 201, 203 control output selection part 500 automobile 501 camera 502 steer 503 motor 504 front wheel 505 rear wheel 511 camera ECU 512 steer ECU 513 motor ECU 514 integrated ECU 600 computer 601 control controller 602, 603 programmable logic controller 604, 605 control equipment

Reconfiguration control device

Assignee

Inventors

Cpc classification

Classification Explorer

G05B2219/23146

PHYSICS

Classification Explorer

G05B19/0428

PHYSICS

Classification Explorer

G06F11/2035

PHYSICS

Classification Explorer

G06F11/1629

PHYSICS

Classification Explorer

G06F11/2028

PHYSICS

Classification Explorer

G05B19/0421

PHYSICS

Classification Explorer

G06F11/2025

PHYSICS

Classification Explorer

G05B2219/2205

PHYSICS

Classification Explorer

G06F11/2048

PHYSICS

Classification Explorer

G06F11/142

PHYSICS

Classification Explorer

G06F2201/85

PHYSICS

Classification Explorer

G06F2201/845

PHYSICS

International classification

Classification Explorer

G06F11/20

PHYSICS

Classification Explorer

G06F11/16

PHYSICS

Abstract

Claims

Description