CN102841828B - Fault detect in logical circuit and alleviating - Google Patents

Abstract

The present invention relates to fault detection and mitigation in logic circuits. The present invention is directed to a method of monitoring logic circuits for failure. Specifically, the method is directed to building parallel logic circuit cores in which faults are detected by comparing equivalent parallel paths at critical locations by a redundancy checker. Any mismatch will result in a predetermined fail-safe mode of operation. In addition, significant techniques are applied to ensure that each parallel path is exercised periodically, thereby verifying the parallel cores in a manner that does not interfere with any process being monitored or controlled. This feature is important in certain industries, such as the nuclear power industry, where safety-critical operations require a high reliability state for logic circuit blocks that may not be utilized very often.

Description

Fault Detection and Mitigation in Logic Circuits

Cross References to Related Applications

This application is a continuation-in-part of US Patent Application No. 12/026,703, filed February 6, 2008. The entire prior application is hereby incorporated by reference.

technical field

The present invention generally relates to a method for designing high integrity logic circuits. The present invention is particularly directed to safety-related control systems, including nuclear power plant reactor protection systems, where integrity and reliability are paramount. The present invention is particularly directed to implementing these methods in a logic device such as a PAL, CPLD, FPGA, ASIC, or GateArray, or in a combination of multiple logic devices. The logic device is usually mounted on a printed circuit board.

Background technique

Others have attempted to improve the reliability of mission-critical logic components in computerized systems. For example, US Patent 7,290,169 describes a core-level processor lockstep system in which two microprocessors operate in parallel and each provide an external output signal that is compared. Microprocessors are meant to operate in lockstep, that is, in a tightly coordinated manner so that their outputs will match in a reliable manner. In practical application, this method has many problems for safety-critical systems. It is difficult to keep the microprocessor completely in lockstep. There may be undiscovered faults in the system until the system is actually used.

US Patent 7,237,144 offers similar operational ideas and difficulties, but provides off-chip lockstep verification to combat "soft errors". It has the same difficulties just described.

US Patent 6,233,702 describes a complex multiprocessor system that uses hardware (e.g., fail-safe, employs redundancy) and software techniques (e.g., employs high data integrity hardware software recovery) to provide fault-tolerant data processing. Error checking explicitly avoids exploiting the redundancy of comparing critical data points between parallel processors, and instead only compares points operating at slower rates, such as at I/O points or in main memory. This design is overly complex and has problems related to unannounced errors that will be discussed shortly. It is a software-based system with issues that will also be briefly discussed.

US Patent 7,134,104 describes a method of improving fault tolerance in an FPGA by creating at least three parallel copies of a logic function, and then using a voting scheme to determine whether any particular copy is faulty. Although this approach generally improves fault tolerance, it is not a satisfactory solution for safety-critical environments, where it cannot be guaranteed that a majority vote will always be a failure-free outcome.

US Patent 5,144,230 describes a self-testing circuit by a method called cycle stealing. The output signal from the 'circuit under test' is tested by selectively applying a test input signal when the output signal is not required to perform its normal function. While this is a possible way to verify a processor, the test does not provide any protection against failures affecting the system in question. When parallel redundancy is used, a voter scheme is used to determine a failure-free outcome. These approaches are unacceptable for safety-critical environments where highly reliable systems are expected.

US application 2007/0022348 describes parallel lockstep cores which are similar to those already described in US7,290,169, except that intermediate values from the cores are also compared along with the outputs. However, this system has all the problems of keeping the two cores in lockstep. For example, when there is an error, the cache must be loaded into system memory to keep lockstep from occurring. The cache must be maintained and checked on an ongoing basis when there are system or programming changes. The system is also software-based.

There is a need in the art to provide a highly reliable system that is not a software based system. For example, in safety-critical systems, such as in nuclear power plant protection systems, it is not desirable to rely on executable software due to the nature of potential errors. Software has inherent operational problems that are difficult to solve. Even relatively simple systems require a significant amount of program code. Specifically, software microprocessor systems are subject to common mode failures where parallel redundant systems may fail simultaneously due to failure conditions.

Regardless of the redundancy that may be included within a software microprocessor system, failures may still occasionally affect sufficient redundant functions not to correctly pick up no-failure results, and the system will experience common mode failures. Common mode faults can be caused by a single fault or several faults. It is known that microprocessor based systems are susceptible to common mode failures when redundant copies of the software fail under the same failure. In particular, common mode faults make software microprocessor systems undesirable in power plant protection systems.

For the purposes of the present invention, the following definitions apply. A failure is the cessation of the ability to perform a required function. See also task glitch. A failure may not be reported and not detected until the next test, which is called an unannounced failure. They may be signaled and detected by any number of methods at the instant of occurrence, which is called a signaled fault. A task is a single goal, job, or purpose of an item or system. Task failure is the inability to perform a specified task within specified limits. A critical function is a function in a logic circuit that is required in order for it to perform its task.

In a safety-related control system, a high-integrity system will have two key characteristics:

1) It will perform its task when called. The task will typically be to actuate the field device when a predetermined set of input conditions occurs. In order to have a high degree of assurance that it will perform its task when invoked, unannounced failures must not exist in the system. Unannounced failures can cause the system to fail at the moment its task is invoked. This means that all faults must be detected and communicated.

2) Accidental actuation of the control system due to logic circuit failure must be avoided. These actuations cause the field devices to perform their safety functions, which are often costly. In order to do this, all faults must be isolated and suppressed before they reach the field device.

A common method for increasing the reliability and serviceability of logic circuits used in critical applications is to use triple or more mode redundancy (TMR). This is commonly used in nuclear, space and military applications. With TMR logic circuitry, fault tolerance is allowed by means of a majority voting scheme. If the majority of redundant logic circuits are not faulty, the system will perform its function. Unfortunately, if the majority is wrong compared to the minority, the system will use the error in its function.

If faults are allowed to accumulate in a TMR system, it can have catastrophic results. Specifically, if it is applied in a safety-critical application, the system may fail in its function to shut down the system or take appropriate corrective action to eliminate the problem before it becomes critical.

Faults in the TMR logic circuits can be detected by comparing outputs between redundant logic circuits. However, it cannot detect unannounced faults, that is, faults in logic circuits that do not cause an output change. Unannounced faults in the system are not discovered until specific logic functions are applied. That is, until a specific logical path is exploited.

Unannounced failures are particularly problematic in nuclear safety systems, which are often in a "wait" position, where no inputs or outputs change state. Safety systems may remain in this state for some time, allowing unannounced faults to accumulate. Unannounced failures may sit undetected for weeks, months, or even years.

Adding TMRs to the system inherently increases complexity which reduces overall reliability. Increased maintenance through added auxiliary logic and programming. Adding secondary redundant modules (4 or more) will improve protection against unannounced failures by reducing the probability of their accumulation and affecting the voting logic, but at the cost of proportionally lower reliability and increased complexity.

Contents of the invention

The present invention is directed to methods of creating high integrity logic circuits and monitoring them to verify their correct operation. Specifically, the method is directed to building parallel logic circuit cores in which faults are detected by comparing equivalent parallel paths at critical locations by a redundancy checker. Any mismatch will result in a predetermined fail-safe mode of operation. In addition, methods were developed to periodically exercise individual parallel paths to ensure that logic circuit paths are exercised in a manner that would expose unannounced faults while not interfering with any process being monitored or controlled.

Description of drawings

Figure 1 shows a schematic illustration of an implementation of two parallel cores utilizing a redundancy checker.

2 and 3 show another illustration of the implementation of two parallel cores utilizing a redundancy checker.

Figure 4 shows important details of the built-in self-test of the present invention.

detailed description

The main object of the present invention is to provide a highly reliable logic circuit which is guaranteed to perform the intended task when invoked.

Another object of the present invention is to provide a method for designing fail-safe logic circuits implemented within a single logic device such as a PAL, CPLD, ASIC, gate array, or FPGA. Alternatively and as such, the logic circuitry is implemented in a combination of multiple logic devices on a single printed circuit board (PCB). Alternatively and as such, they are implemented in combinations of multiple printed circuit boards with one or more logic devices such as PALs, CPLDs, FPGAs, ASICs, or gate arrays.

The present invention can incorporate redundancy and/or fault tolerance at the application level by having multiple parallel systems capable of performing tasks. One approach is to have two or more parallel systems capable of performing tasks. If one of these systems fails and goes into a fail-safe state, the other systems remain able to perform their tasks. Another way to improve integrity is to have three or more logic cores in parallel, where two are used to provide fail-safe operation and the third logic core is taken offline in test mode. The cores are then periodically cycled so that at least two cores are always online and one is always being tested. Optionally, a test plan is set up such that all cores are normally online, and periodically, one core is forced offline for testing.

Parallel logic cores are duplicated exactly, or they are similarly duplicated to perform the same task. In the latter case, the cores are heterogeneously replicated cores or parallel distinct cores.

The invention is suitable for industrial process monitoring and control. The present invention is particularly directed to safety-critical control systems, including nuclear power plant reactor protection systems, where reliability and integrity are paramount.

Any logic circuit is susceptible to errors such as:

1. Single event effects (SEE) caused by cosmic rays or high energy protons, single event upsets (SEUs) causing transient pulses in logic, bit flips in memory cells and registers, and single event lockouts (SELs).

2. Electrostatic discharge (ESD) and electrical overload (EOS).

3. Flicker cell decay/failure caused by device failure, device design failure, or overheating.

4. Manufacturing failures and/or aging-related failures, such as oxidation failures, metal layer failures, electromigration, wire bonding corrosion, contamination effects from moisture, or chemicals used in the process, etc.

In safety-critical systems, such as in nuclear power plants, the above items are gaining more and more attention and importance.

Common to all of the above faults is that they usually occur randomly in time and location, and typically affect only one or a small number of transistors. These errors can cause major problems.

The present invention describes a method for designing logic circuits in which failures are automatically detected and mitigated in such a way that other related systems are not adversely affected.

The present invention ensures minimal added complexity and increases overall reliability with minimal maintenance.

The invention can be combined with fault tolerance schemes.

One embodiment of the present invention is the combination of the following three technologies:

1. Use parallel redundant cores to ensure that all failures are immediately detected and isolated by the redundancy checker.

2. Use the built-in self-test engine to exercise key functions in the core to prevent unannounced failures. If the fault is not detected before actual use, the fault is an uninformed fault.

3. The parallel redundant core interface with external communication is inherently protected by:

a) Serial or parallel interfaces are protected by redundancy or cyclic redundancy check (CRC).

b) 'toggletest' for the input. Toggle testing is a way to ensure that input circuits and their connections are functioning. This testing typically involves disconnecting the input from the source device and applying a test input signal to the logic circuit. If the input reflects the test input, it can be determined that the input circuit is functioning.

c) Independent readback of output. This is an independent method of checking the state of the output by including feedback to the input. An example would be by verifying that a relay is in fact actuated when requested by driving an input using a spare contact on the relay. To verify in this manner, various other analog and digital outputs can be wired in series or in parallel to the input.

In a preferred embodiment of the present invention, a built-in self-test (BIST) structure is placed on the programmable logic device and its functions are performed in a manner that does not affect the output of the logic circuit. An important feature of BIST is to expose any unannounced faults in parallel cores. BIST has the following important functions:

1. The BIST engine tests the parallel cores by applying pseudo-random input stimuli.

2. The BIST engine tests the parallel cores by imposing a planned or programmed sequence of input stimuli.

3. It tests all state transitions and output combinations.

4. It tests the ability of the parallel cores to perform their tasks.

5. It accomplishes any single or combination of the above.

Additionally, in one embodiment, BIST tests the parallel cores by:

1. Monitor critical internal states from the core.

2. Monitor critical output from the core.

3. Test the two redundant cores against each other by comparing at selected locations.

4. 'Accumulate' the internal state from each parallel core into a checksum.

5. 'Accumulate' the output responses from each parallel core into a checksum.

6. It does any single or combination of the above.

In the important embodiment, the test method by which BIST verifies the parallel core is:

1. Put one of the parallel cores in test mode so that it does not affect the state of any input or output,

2. Disable the redundancy checker for the core being tested,

3. Applying a predetermined set of inputs to at least one input or internal state in the core being tested as previously described.

4. Verify core response to input by monitoring internal state changes and core output against a checksum, or against a predetermined pattern.

5. Restore the core and disabled redundancy checkers to normal operation.

Another example test method by which BIST verifies parallel cores is:

1. Put the logic circuit into a test mode where the state of any output is not affected.

2. Apply the same set of predetermined inputs to all parallel cores, as previously described,

3. The responses of all parallel cores are checked by the redundancy checker.

In a preferred embodiment, multiple barriers are present to ensure that the logic cannot continue to operate after a redundant error occurs. In a power plant protection environment, a fail-safe signal is sent to all affected parallel cores to stop all operations. All properly functioning cores will obey this signal and stop operating. One of the parallel cores that caused the condition's mismatch may not be able to honor the signal for the same reason that caused the error. To fix this:

1. Structure communications with other systems in such a way that parallel cores must match in order to succeed. In this way, the failed logic cannot pass erroneous data to unaffected/related systems. This is done as follows:

a) AND or OR gates of communicated data to intentionally create invalid CRC checksums.

b) AND gate ON (pass) communication data output enabled. This prevents data from being transmitted.

The preferred embodiment of the present invention utilizes an FPGA to implement the basic control functions. In other embodiments, alternatives to FPGAs are used, including ASICs (Application Specific Integrated Circuits), CPLDs (Complex Programmable Logic Devices), Gate Arrays, and PALs (Programmable Array Logic). These devices are generally referred to as programmable logic devices, complex logic devices, or logic devices. All of these means can be utilized by appropriate programming to operate without the use of executable software. Systems managed by these devices can be described as hardware-based systems.

Logic devices are programmed with logic that is customizable based on the requirements of a given application and contains any type of digital building block typically including: AND gates, OR gates, XOR (exclusive) gates, trigger Devices (D, JK, SR), counters, timers, multipliers, and finite state machines (FSM). When properly programmed, logic devices will behave in a highly predictable, substantially deterministic manner.

In important embodiments, logic circuits are described at a register-transfer level comprising a hardware description language such as Verilog or VHDL, and schematic capture. The entire logic circuit, or critical functions of the logic circuit, is duplicated by redundant cores. The inputs to the core are designed in such a way that the inputs are guaranteed to be transferred to the internal core registers without errors.

Logic circuits will receive external inputs. Inputs to logic circuits may include any of the following: serial interfaces protected with redundancy, discrete inputs, or digitized analog values. Critical inputs are guaranteed by redundancy testing, XOR flip testing, CRC and/or external loopback testing. Any input testing is performed in a manner that does not affect the input data. Typical input circuits include: bus communication circuits (serial or parallel), digital channels (serial or parallel), communication circuits (serial or parallel), digital circuits (serial or parallel), and digitized analog circuits.

The output from the parallel cores is designed in such a way that the output is guaranteed to work. This guarantee comes from redundancy testing, XOR flip testing, CRC and/or external loopback testing. The external loopback test is an independent verification of the output signal by routing the output signal back to the input. The output signal is then compared to the actual measured value. Typical output circuits include: bus communication circuits (serial or parallel), digital channels (serial or parallel), communication circuits (serial or parallel), digital circuits (serial or parallel), and digitized analog circuits.

I/O from logic circuits typically includes the following important features:

1. Serial or parallel interface protected with redundancy.

2. The serial or parallel interface from the redundant core is ANDed or ORed by the redundancy checker in the CRC to ensure that when a failure occurs due to a CRC failure in the communication, all communication to other systems will stop .

3. Input from discrete input.

4. Discrete outputs, which can drive relays, solid state relays, field components, or other system inputs.

5. Key outputs are tested by means such as

a) means ensured by redundancy,

b) XOR flip test,

c) CRC, and

d) External loopback test.

Output testing is performed in a manner that does not cause undesired field actuation.

In a preferred embodiment, BIST is implemented as follows:

1. It is designed to use key functions, such as traversing all states in a finite state machine, or only a specific set of states.

2. Identify and test critical functions of logic circuits for satisfactory operation. This can include all functions of the circuit.

3. Inject the test input signal in such a way that there are no stuck-at faults in the logic circuit.

4. Designed in such a way as not to affect the output. This can be done by:

a) freeze the output during the test, or

b) The test is performed in the period in which the output is not updated.

5. Verify the operation of the logic circuit by:

a) Causes the BIST engine to verify functionality by monitoring internal states, which are key or registered values also called key states in the core, and core outputs. A compressed form of data can be used to simplify core output or internal state conditioning based on BIST input stimuli.

b) Have multiple BIST engines run synchronization routines between redundant cores. In this case, the BIST engine does not need to verify the output. This will be done by a redundancy checker that can compare the two cores at critical points, or compare the outputs of the two cores for matching.

6. Upon completion of the BIST, restore the logic circuit to its proper state. That is, restore any parallel cores being tested to normal operation.

In a preferred embodiment, redundancy checker logic is used to determine if the logic is faulty and place the logic in a fail-safe state. The redundancy checker monitors critical redundancy checkpoints in the logic circuit structure, that is, signals from specific circuits from each of the redundant logic cores are wired to the redundancy checker on the logic circuit. The redundancy checker then looks for differences between the two cores by comparing the two signals from each of the redundant cores for an exact match. If the values do not match, a redundancy failure (ie error) has been detected. Additionally, the redundancy checker is implemented by comparing critical signals (ie, critical data), which preferably include both critical internal states and outputs.

In a preferred embodiment, and because the system is hardware based, there should be no mismatch between parallel redundant cores. They receive the same input at the exact same moment, and the cores will operate in full synchronization.

By monitoring the internal state and outputs from each redundant core, the redundancy checker will immediately detect a state change of a critical function, such as an unexpected actuation signal due to a core failure. Without the redundancy checker mitigating the fault and forcing the logic into a fail-safe state, the fault can propagate to related systems and cause undesired equipment transients.

In a preferred embodiment, the key functions of the logic circuit monitored by the redundancy checker include: logic decision, limit check, state machine, detection logic, and control logic.

In another important embodiment of the invention, the parallel cores are not exactly replicated. That is, parallel cores perform the same task or function but are different in design. Cores are said to be parallel distinct cores. Dissimilarity can be created by how programs are physically placed within the FPGA, for example by changing how interconnect resources are used, or by minor programming differences between programmers given the same job task. The dissimilarity can be very large if different logic devices are used in the implementation, such as different FPGA vendors or use of microprocessors that execute portions of the logic.

Dissimilarity is a very important operational security feature that ensures that programming errors will not affect the overall security of the operation. Two, three, or more cores can be independently programmed by two or more programmers. To enhance the diversity, different programmers are assigned to take different approaches, even with respect to fairly straightforward programming tasks. Methods to ensure dissimilarity or different implementations include distinct state encodings, "onehot" vs. "Grey codes", with or without hierarchical optimization, with or without planarization, and on complex logic devices How to lay out the program.

Where parallel distinct cores are utilized, the redundancy checker compares values from selected points within the core, values from output points, or both.

In one embodiment of the invention, dissimilarity can be extended to include the use of a microprocessor with executable software paralleled to an FPGA-based system without executable software. For example, one parallel core may be implemented in a logic device and another parallel core may be implemented in a software-based processor device. A redundancy checker is then used to look at the output from both cores to monitor for mismatches.

In the case of software-based parallel cores, built-in self-tests would include features that ensure correct operation and detection of unannounced failures through the use of a combination of monitors, run-time assertions, and self-tests. In a preferred embodiment, a software-based BIST would be designed, by using techniques already described, such as exercising key functions, injecting test input signals, freezing outputs during testing, performing tests during periods in which outputs are not updated, Processors are tested to verify the operation of the processor, and to verify functionality by monitoring key values or registers. Upon completion of the BIST, the processor is restored to its proper state.

Figure 1 shows a schematic illustration of an implementation of two parallel cores utilizing a redundancy checker. A first CORE (core) A 101 and a second CORE B 102 are parallel and redundant representations of logic circuits. The already described REDUNDANCYCHECKER (redundancy checker) circuit 103 is used to check the integrity operation of the core. BIST 104, 105 are represented as part of each of the core structures, but may alternatively and likewise be represented separately. The entire logic circuit structure is within a single FPGA 106 or other logic device. Alternatively, logic circuits may be placed on multiple logic devices. The same input is received by COREA and COREB, and their output is monitored by REDUNDANCYCHECKER for an exact match. Outputs from the two cores, and fail-safe signals from the REDUNDANCYCHECKER are output from the FPGA. An output failsafe gate is used, but not shown in Figure 1. This feature is depicted in FIG. 2 .

Figure 2 shows the implementation of two parallel cores using another embodiment of a redundancy checker. Two parallel redundant cores 215, 225 are used to implement logic circuits. Additional details of the redundant core are shown, including: input registers 210, 220, output registers 211, 221, and built-in self-test (BIST) features 214, 224. The redundancy checker 205 is used for reliability and error checking and activates the fail-safe mode 203 . Part of the redundant core are key functions 212, 222 where there are key state 213, 223 variables or information. This information is used for error checking by redundancy checker 205, as indicated.

Input 201 flows into parallel input registers 210,220. The inputs are used by logic circuits designed according to the system and the output registers 211, 221 are updated. The core output then flows from the output register through output failsafe gate 204 where it is then combined and becomes output 202 for the system. This is GateON communication data output enable. This prevents data transmission when there is a redundancy checker that has detected a failure. When an error is detected, the output fail-safe 203 is activated by the redundancy checker 205 to alert the system. Failsafe could be a relay contact closure, an alarm, or some kind of communication. The entire logic circuit 200 resides on a single logic device, such as a PAL, CPLD, FPGA, ASIC, or gate array. Alternatively, logic circuits may be placed on multiple logic devices.

FIG. 2 is another embodiment of a redundancy checker similar to FIG. 1 . In FIG. 2, the redundancy checker additionally utilizes key states (ie, values) within each redundant core for comparison. This auxiliary information is used to quickly uncover unannounced faults.

BIST in this case is monitoring redundant cores in self-test.

Similarly, Fig. 3 shows another embodiment of a redundancy checker. Two parallel redundant cores 315 , 325 are used to implement logic circuits utilizing: input registers 310 , 320 , output registers 311 , 321 and built-in self-test (BIST) features 314 , 324 . Redundancy checker 305 is used for reliability and error checking and activates fail-safe mode 303 . Part of the redundant core are key functions 312, 322 where there are key state 313, 323 variables or information. This information is used for error checking by redundancy checker 305, as indicated.

Similarly, input 301 flows into parallel input registers 310, 320 as before. The inputs are used by logic circuits designed according to the system and the output registers 311, 321 are updated. The core output then flows from the output register through output failsafe gate 304 where it is then combined and becomes output 302 for the system. When an error is detected, output fail-safe 303 is activated by redundancy checker 305 to alert the system. The entire logic circuit 300 resides on a single logic device. Alternatively, logic circuits may be placed on multiple logic devices.

The BIST in this case additionally uses key status and output registers in the self-test.

FIG. 4 shows important details of a typical built-in self-test (BIST) 314 . In this case, FIG. 4 is an additional detail from FIG. 3 . Output register values from redundant core 315 and critical state 313 are input to output check routine 401 , which goes to BIST finite state machine (FSM) 402 . BIST is controlled by FSM. When activated by an operator, timer, or event, the BIST will generate input stimuli, either as a random sequence or as a programmed sequence 403 to the input register 310 . BIST monitors redundant cores, redundant core outputs, and critical states to verify correct operation. The verification includes comparing against a stored baseline, comparing against another redundant core, or generating a checksum of the monitoring output and verifying the checksum against a baseline checksum.

A preferred embodiment of the invention implements BIST during normal operation of the logic circuit. That is, the BIST is activated while the logic circuit is performing its task. This is done without affecting other systems or outputs by methods including:

1. Freeze output during testing.

2. Execute the test during periods in which the output is not updated.

3. Put one of the parallel cores in dedicated test mode; isolate it so that it does not affect the state of any input or output; and disable the redundancy checker associated with the core being tested.

A typical task for logic circuits is to provide processing functions between inputs and outputs according to the design. Design can be one of a readiness state, or a safety-related function such as in a plant protection system. If design is process control, it can be more involved.

Logic circuit tasks may also include interfacing with control circuits. These control circuits include external logic, decision, detection, and control circuits. These circuits are common in process control and safety-related equipment determination. They may be binary (on/off) type circuits, or they may be associated control circuits including sensors, switches, process controllers, and actuators. They can be part of relay based systems and interfaces to other computerized systems.

In another embodiment of the invention, the redundancy checker is not arranged on the logic device in which the parallel cores are arranged. The redundancy checker is independently arranged on another logical device. It is then connected by a communication path to the output of the core to provide redundancy checks. The redundancy checker then operates as described in Figures 1-3, by providing fail-safe signals, etc.

In a preferred embodiment, the present invention is based on a hardware platform rather than a software based microprocessor system. In a significant departure from software-based microprocessor system architectures, the executable software, and problems associated with software-based microprocessor systems, such as software common-mode faults, are eliminated by implementing logic circuits in logic devices. It provides a highly reliable system suitable for safety-critical control systems, including reactor protection systems in nuclear power plants.

While various embodiments of the invention have been described, it will occur to those skilled in the art to modify and adapt the invention for various methods of operation. Therefore, the present invention is not limited to the description and drawings shown here, and includes all such embodiments, changes, and modifications encompassed by the scope of the claims.

Claims (3)

1. a high integrality logical circuit (200), comprising:

A. many parallel cores (215,225), wherein, described parallel core for implementing the key function of described logical circuit,

B. wherein, described parallel core (215,225) is redundancy or different,

C. redundancy checker (205), wherein, described redundancy checker is used for:

I. check the input (201) of the first parallel core (215) and the multiple values (213) in exporting between (202) the first parallel core (215) whether and the second parallel core (225) input (201) and export multiple values (223) that second between (202) walk abreast in core (225) and match, and

Ii. according to preassigned, described logical circuit (200) is activated to fail-safety state (203),

D. wherein, described logical circuit (200) is connected with multiple input (201) and multiple output (202),

E. wherein, described logical circuit performs the task relevant with described output (202) to described input (201), and wherein said task is safety-critical function,

F. wherein, protect by from comprising at least one of selecting in following group in described logical circuit (200) and the communication between described input (201) and described output (202):

I. redundancy,

Ii. cyclic redundancy check (CRC),

Iii. for the Turnover testing of described input, and

Reading back iv. for described output,

G. Built-in Self Test (BIST214, BIST224), wherein, described Built-in Self Test for exposing arbitrary described Parallel Kernel fault of not informing in the heart,

H., wherein, while described logical circuit (200) performs described task, described Built-in Self Test (BIST214, BIST224) regularly or is continuously performed,

I. wherein, the described key function (212,222) of described logical circuit (200) is implemented substantially at least one logical unit (215,225), and

J. wherein, at least one logical unit described (215,225) be implemented to avoid use can executive software.

2. high integrality logical circuit (200) according to claim 1, wherein, described redundancy checker (205) is disposed in from described parallel core (215,225) on the logical unit of separation, wherein said redundancy checker is connected to described parallel core by the communication path to the output of described parallel core, or described redundancy checker is disposed on the resident same logical unit of wherein said Parallel Kernel in the heart at least one.

3. high integrality logical circuit (200) according to claim 1, multiple values (213 wherein in the first parallel core (215) and in the second parallel core (225), 223) be described logical circuit key function (212,222) state change.