TRIPLICATION REGISTER COMPRISING A SECURITY DEVICE
20210182383 · 2021-06-17
Inventors
Cpc classification
G11C29/24
PHYSICS
G06F21/85
PHYSICS
G06F9/3012
PHYSICS
G11C29/52
PHYSICS
H03K3/0375
ELECTRICITY
H03K19/23
ELECTRICITY
G11C5/005
PHYSICS
International classification
G06F11/22
PHYSICS
G06F21/85
PHYSICS
Abstract
A triplication register device includes a first register, a second register and a third register, the three registers being identical and containing the same information in common use, a majority vote device and a self-correction device, the correction being dependent on the result from the majority vote device, each register being controlled by an output of a dual-input multiplexer (mux), the first input corresponding to a functional write operation, the second input corresponding to the result of the majority vote, wherein the triplication device comprises a test device whose function is to block, on command and independently, either the functional write operation to the first register, or the functional write operation to the second register, or the functional write operation to the third register, or the self-correction. The test device may comprise a control register that may also be secured by triplication.
Claims
1. A triplication register device comprising a first register (REG. 1), a second register (REG. 2) and a third register (REG. 3), the three registers being identical and containing the same information in common use, a majority vote device and a self-correction device (BAC), the correction being dependent on the result from the majority vote device, each register being controlled by the output of a dual-input multiplexer (mux), the first input corresponding to a functional write operation, the second input corresponding to the result of the majority vote, wherein the triplication device comprises a test device whose function is to block, on command and independently, either the functional write operation to the first register, or the functional write operation to the second register, or the functional write operation to the third register, or the self-correction.
2. The triplication register device according to claim 1, wherein the test device comprises a control register containing at least four control bits (EN_1, EN_2, EN_3, EN_A), the first bit controlling the blocking of the functional write operation to the first register, the second bit controlling the blocking of the functional write operation to the second register, the third bit controlling the blocking of the functional write operation to the third register and the fourth bit controlling the blocking of the self-correction.
3. The triplication register device according to claim 2, wherein each control bit of the control register blocks all of the bits of the register associated with said control bit.
4. The triplication register device according to claim 3, wherein a first test configuration consists in blocking only the self-correction so as to check that the three registers are operating in a nominal manner.
5. The triplication register device according to claim 3, wherein a second test configuration consists in blocking only the write operation to the first register and the second register or the write operation to the first register and the third register or the write operation to the second register and the third register so as to check that the majority vote device is operating in a nominal manner.
6. The triplication register device according to claim 2, wherein a test comprises a sequence of first, second or third configurations taken in this order or in a different order.
7. The triplication register device according to claim 1, wherein the control register contains sixteen bits and that the test device comprises a set of four secondary majority vote devices (VM1, VM2, VM3, VM4), the twelve first bits being organized into three groups of four identical control bits, each secondary majority vote device being driven by three control bits belonging respectively to the first group, to the second group and to the third group, each bit blocking the same function, either functional write operation or self-correction, the result of the majority vote blocking said function, the last four bits being used to reread the four results from the four secondary majority vote devices.
8. An electronic system on board an aircraft subject to high-altitude flying conditions, comprising at least one triplication register device, wherein said triplication device is in accordance with claim 1.
Description
BRIEF DESCRIPTION OF THE DRAWINGS
[0030] Other features, details and advantages of the invention will become apparent upon reading the description provided with reference to the appended drawings, which are given by way of example and in which, respectively:
[0031]
[0032]
[0033]
[0034]
[0035]
[0036]
[0037]
[0038]
DETAILED DESCRIPTION
[0039] The aim of the invention, with regard to the current operation of a triplication register, is to be able to check the correct operation of all of the elements of the majority vote triplication mechanism so as to detect that no latent fault renders the triplication inoperative. The faults detected by the test device according to the invention are as follows: [0040] one of the three registers is stuck at a constant value or is unable to perform a functional write operation when required; [0041] the self-correction is not working; [0042] the majority vote is incorrect for one or more combinations of the values of the three registers.
[0043] In aeronautics, electronic equipment has to meet stringent safety and reliability requirements. These requirements are governed by a standard called RTCA DO-254/Eurocae ED-80 entitled “Design Assurance Guidance for Airborne Electronic Hardware”. This standard defines five criticality levels, what are called “DAL” levels, acronym for “Design Assurance Level”. The most severe is level A, which defines system faults liable to cause a catastrophic problem: compromised flight safety or landing or the aircraft crashing. The device according to the invention is compatible with DAL level A.
[0044] The principle of the invention is based on two separate elements:
[0045] The possibility of individually blocking the write operations to each register during the functional write operation in order to be able to intentionally inject a different value into each register and to check the operation of the majority vote and the self-correction mechanism. This blocking process is shown in
[0046] The possibility of blocking the self-correction, thereby leaving the possibility of observing the result of the majority vote with different values in the three registers.
[0047] One simple means for creating the test device is to implement a dedicated control or test register whose function is to position the internal signals that will activate the test modes for the triplication. This control register for the test may conventionally be driven by the software of the system that controls the triplicate register. It may also however be driven by a hardware machine responsible for performing the built-in equipment test, known by the acronym “BITE” for “built-in test equipment”.
[0048] In its basic version, the test register contains 4 control bits: three bits denoted EN_1, EN_2, EN_3 and one bit denoted EN_AUTOCORRECT, the effects of which are as follows:
[0049] If the bit EN_1 is at 1, then the functional write operation writes to the register REG 1. This is tantamount to retaining normal operation of the register.
[0050] If the bit EN_1 is at 0, then the functional write operation does not write to REG 1, that is to say that the register remains unchanged. The register is in test mode.
[0051] The bits EN_2 and EN_3 have the same operation with regard to the two registers REG 2 and REG 3 respectively.
[0052] If the bit EN_AUTOCORRECT is at 1, then the self-correction takes place normally on the three registers.
[0053] If the bit EN_AUTOCORRECT is at 0, then the self-correction is blocked on the three registers, that is to say that only the functional write operation is able to modify the three registers.
[0054] It should be noted that the choice of “1” or “0” to block or not block the functions is purely arbitrary.
[0055] The four bits and their action are completely independent. Each bit of the control register acts collectively on all of the bits of the registers REG 1, REG 2 and REG 3. For example, if REG 1, REG 2 and REG 3 are 16-bit registers, there is just a single bit EN_1 in the control register, and it acts collectively and in the same way on the 16 bits of REG 1.
[0056] To gain a good understanding of the action of the control register,
[0057] In the normal operating configuration shown in
[0058] In the first test configuration shown in
[0059] In the second test configuration shown in
[0060] By alternating the values of the bits of EN_1, EN_2 and EN_3, each register is written to individually and the majority vote is tested with all of its input combinations. It is checked at the same time that the write operation to each of the registers takes place correctly, that is to say that none of the three registers are stuck at a constant value.
[0061] In the third test configuration shown in
[0062] It is of course possible to combine the above configurations. As a first example, if, after having used three second configurations to place different values in the three registers, the third configuration is positioned, then the three registers become identical, given the majority vote which necessarily leads to identical values.
[0063] A second more complex example of combinations makes it possible to perform more sophisticated tests. For clarity, this example is broken down into two successive steps.
[0064] In a first step, using the first configuration three times to write the combination “0, 0, 1” to the registers REG 1, REG 2 and REG 3, rereading the majority vote gives 0. 1 is then written to REG 2, thereby giving the combination “0, 1, 1”, and rereading the majority vote then gives 1.
[0065] In a second step, using the first configuration three times to write the combination “0, 0, 1” to the registers REG 1, REG 2 and REG 3, rereading the majority vote gives 0. The second configuration is then used. If the self-correction is operating correctly, there is a change to the combination “0, 0, 0”. The first configuration is used again. 1 is written to REG 2, thereby this time giving the combination “0, 1, 0”, and rereading the majority vote this time gives 0.
[0066] Thus, at the end of the second step, the result of the majority vote is different from what it is at the end of the first step. It is thus checked that the self-correction worked in the register REG 3 for the change from 1 to 0.
[0067] By repeating the second step with various possible combinations, it is checked that the self-correction works for the three registers with the two transitions from 1 to 0 and 0 to 1.
[0068] As has just been seen, the blocking test device according to the invention makes it possible to easily check that all of the write operations, majority vote operations and self-correction operations are working correctly. However, it is possible to further increase the security of the triplication register by securing the control and test register.
[0069] Triplication is also used for this purpose, but this time applied to the control register itself. This secure control register is shown in
[0070] The four control bits EN_1, EN_2, EN_3, and EN_AUTOCORRECT are triplicated, thereby making a total of 12 bits. They correspond to the bits numbered 0 to 11 in
[0071] The test device comprises a set of four secondary majority vote devices denoted VM1, VM2, VM3 and VM4 in
[0072] The results of the four majority votes control the triplication register and are also stored in the control register. Four additional bits are therefore necessary. These are the bits numbered from 12 to 15 in
[0073] By the same token, a single control register may be associated with several triplicate functional registers, without limiting the number of registers to be controlled.
[0074] The triplicate control register does not have a self-correction function, thereby making the test thereof much easier. The absence of self-correction of the self-correction register does not have any significant effect for the two reasons described below.
[0075] The first reason is that it is necessary to have two well-placed alterations for a control operation to be altered, this being an exceptionally rare event.
[0076] The second reason is that altering a control bit does not have any immediate impact, and it is then necessary for the functional register itself also to be altered after the control register for there to be any functional impact. In this case too, these are only very exceptional events.
[0077] If the self-correction control bit is altered, it is then necessary for two well-placed bits in the functional register to be altered after the control register is altered. This may for example involve two of the three triplication registers associated with the same functional bit.
[0078] If an “EN” functional control bit is altered, the functional write operation is impaired because one incorrect bit out of the three is potentially written, but the majority vote still gives the correct value, and it is necessary for a bit of the functional register also to be altered for there to be an impact. This situation has an impact only if the events occur in the following order: double alteration of the control operation and then functional write operation with a value different from the previous value on the bit in question, and then double alteration on the triplicate registers of this bit. This situation is highly unlikely.
[0079] Therefore, the absence of self-correction on the control register does not lead to any significant risk.
[0080] A first example of chains of events that would be likely to cause a significant alteration of the register is described below:
[0081] First event: the bit EN0_0 is altered. There is no impact by virtue of the majority vote.
[0082] Second event: one of the two bits EN0_1 or EN0_2 is also altered. The register REG 1 will not be updated in the next write operation. However, the current value of REG 1 is not modified, and there is therefore no functional impact. Next, in the next functional write operation, the register REG 1 is not written to, and it is therefore potentially different from REG 2 and REG 3. However, there is still no functional impact by virtue of the majority vote. In the following clock cycle, the self-correction will update the register REG 1 with the correct value. The correct written value appears in REG 1, simply with a delay clock period.
[0083] Third event: One of the registers REG 2 or REG 3 is altered exactly during the clock period that follows the functional write operation. There is then a functional impact.
[0084] It is understood that the cascade of the three events is highly unlikely and may be neglected. The absence of self-correction on the EN bits therefore does not constitute a risk.
[0085] A second example of chains of events that would be likely to cause a significant alteration of the register is described below:
[0086] First event: the bit AUTOCORRECT_0 is altered. There is no impact by virtue of the majority vote.
[0087] Second event: one of the two bits AUTOCORRECT_1 or AUTOCORRECT_2 is altered. The self-correction of the registers REG 1, REG 2 and REG 3 is blocked, but the current value of the registers is not modified. There is no functional impact.
[0088] Third event: one of the three registers REG1, REG 2 or REG 3 is altered. There is still no functional impact by virtue of the majority vote.
[0089] Fourth event: Another of the three registers REG1, REG 2 or REG 3 is in turn altered. A functional impact occurs.
[0090] It is therefore seen that, even if two bits out of the three bits AUTOCORRECT 0, AUTOCORRECT 1 or AUTOCORRECT 2 are altered, the probability of there being a functional consequence is extremely low and requires the occurrence of four successive events, themselves having a low probability.
[0091] The absence of self-correction on the AUTOCORRECT bits therefore does not constitute a risk.
[0092] To test that the triplication of the control bits and their majority vote is working correctly, it is enough simply to write all of the combinations of the twelve control bits and each time to reread the four bits of the majority vote. This procedure covers both the majority vote and the control bits themselves. This test makes it possible to detect that one of the bits is fixed at 0 or 1 due to an electronics fault.
[0093] The triplication register device according to the invention has a security level sufficient for a DAL A-certified avionic system. It has the following advantages.
[0094] The device makes it possible to test 100% of the fault or error correction mechanism. The test coverage of the correction mechanism is fully exhaustive.
[0095] A simple fault with or a simple alteration of the test device does not cause erroneous functional data. Such a simple fault with the test device may be detected before a multiple fault occurs.
[0096] The test device does not have any impact on the operational performance of the tested register.
[0097] The test device associated with each functional register is very easy to implement, and therefore does not impair reliability and consumes few resources of the electronic component carrying it.
[0098] The control register according to the invention may be pooled with as many functional registers as desired, thereby minimizing the number of control registers.