A MONITORING UNIT AS WELL AS METHOD FOR PREDICTING ABNORMAL OPERATION OF TIME-TRIGGERED COMPUTER SYSTEMS
The invention relates to a time-triggered computer system (800) that involves [i] a Main Processor (801) that has been designed to run one or more tasks according to one or more predetermined task schedules, only one of which, the “active task schedule”, will be active at any point in time; [ii] a Monitor Processor (802) that has been designed to determine whether the Main Processor (801) is about to execute a task that is not in accordance with the active task schedule; [iii] a Communication Link (803) for passing information about future task executions between the Main Processor (801) and the Monitor Processor (802); and [iv] a Control Mechanism (comprising a System Control output (805), and/or a Communication Link B (806), and/or a Reset Link (807)) by means of which the Monitor Processor can halt or reset the Main Processor and take other corrective actions involving devices to which the computer system is connected, if the Monitor Processor determines that the Main Processor is about to execute a task that is not in accordance with the active schedule.
The present invention relates to an apparatus and a method which provides improved reliability and security for computer systems. In particular, the present invention relates to a monitoring unit for predicting abnormal operation of a time-triggered computer system, and a method of providing such a monitoring unit.
BACKGROUND TO THE INVENTIONA computer system is usually comprised of one or more “Commercial Off The Shelf” (COTS) processors—for example, microcontrollers or microprocessors—and some software that will execute on such processor(s): this software may be created, for example, using a programming language such as ‘C’ or Ada.
In many cases, processors are “embedded” inside larger systems, including cars, aircraft, industrial and agricultural machinery, medical equipment, white and brown goods and even in toys. It is estimated that people in the developed world encounter around 300 of such “embedded systems” every day while going about their normal activities.
Other related uses of computer systems include real-time “desktop” applications, such as air-traffic control and traffic management.
When creating such computer systems, developers must choose an appropriate system architecture. One such architecture is a “time-triggered” (TT) architecture. Implementation of a TT architecture will typically involve use of a single interrupt that is linked to the periodic overflow of a timer. This interrupt may drive a task scheduler (a simple form of “operating system”). The scheduler will—in turn—begin the execution of the system tasks (a process sometimes called “releasing” the tasks, “triggering” the tasks or “running” the tasks) at predetermined points in time. The tasks themselves are typically named blocks of program code that perform a particular activity (for example, a task may check to see if a switch has been pressed): tasks are often implemented as functions in programming languages such as ‘C’.
This type of TT design can offer very predictable system behaviour, making it comparatively easy to test and verify the correct operation of real-time computer systems that are based on such an architecture: this is the main reason why TT designs are often used in safety-critical systems, high-integrity systems and in other products where system reliability and/or security are important design considerations.
Whatever system architecture is employed, it is very often important to try and ensure that the computer system functions correctly in the event that accidental errors (such as hardware failure and software errors that might be caused by electromagnetic interference—EMI—or radiation-related errors) or malicious errors (for example as may be caused by deliberate attempts to effect behavioural changes in either the processor or software, including—for example—the use of computer “viruses”) occur. It is also generally accepted that—as computer systems become larger—it is inevitable that there will be some residual errors in the software in many systems that have been released into the field: it is clearly desirable that the system should not operate dangerously in the event of such residual errors.
It may be felt that the use of a “lockstep” processor (see, for example, Reference 1) offers a solution to the problems identified above. Lockstep designs typically involve two (sometimes more) processors that execute the same program code on two different processor units, with various forms of cross-checking (to detect errors). In most (but not all) cases, the lockstep solution will involve two or more processor units in close proximity: this gives rise to concerns about common-mode faults: for example, physical damage, vibration, humidity or radiation sources may have a similar impact on all processor units, causing errors to go undetected. If we can avoid such common-mode failures, lockstep processors may allow us to detect the impact of some errors (including, potentially, the impact of EMI), but they provide little or no protection against programming errors (including residual errors), or program changes (caused, for example, by viruses or deliberate tampering).
In addition to the use of lockstep processors, other techniques for detecting errors of the type outlined above have also been described previously. These include what is sometimes called “program flow monitoring” (PFM) techniques (see, for example, Reference 2). PFM typically involves hardware- or software based techniques for detecting deviations from normal system behaviour (for example, by monitoring bus activity and/or memory accesses and looking for changes in the “normal” signature). Another well-known way in which the impact of the above errors on computer systems can be detected is through the use of mechanisms such as “watchdog” timers (see, for example, Reference 3). Such watchdogs typically enforce a system halt or reset if they are not “fed” at the required frequency (and it is assumed—often implicitly—that system errors will interfere with this feeding process).
Overall, while use of lockstep processor architectures, and/or PFM and/or a watchdog timer may help to improve the reliability of a given system, such approaches will—in general—only confer an ability to respond to changes in the behaviour of systems that result from errors. By the time such changes are significant enough to be detected, a great deal of damage may already have been done.
For example, consider that we have detected an error in the braking system of a passenger car: if the driver is already applying the brakes in an emergency situation when we detect the error, the error-detection mechanism is of little value. Late detection of errors in aerospace systems, industrial systems, defence systems, medical systems, financial systems or even household goods may also result in injury, loss of human life and/or very significant financial losses.
It is therefore an object of embodiments of the present invention to improve the reliability and security of time-triggered computer systems by detecting errors before they result in serious consequences.
SUMMARY OF THE INVENTIONAccording to a first aspect of the present invention, there is provided a time-triggered computer system comprising:
-
- a Main Processor adapted to execute one or more tasks according to one or more predetermined task schedules, only one of which, an active task schedule, will be active at any point in time; and
- a Monitor Processor adapted to determine whether the Main Processor is about to execute a task that is not in accordance with the active task schedule; and
- a Communication Link for passing information about future task executions between the Main Processor and the Monitor Processor; and
- a Control Mechanism by means of which the Monitor Processor can halt or reset the Main Processor and take other corrective actions involving devices to which the computer system is connected, if the Monitor Processor determines that the Main Processor is about to execute a task that is not in accordance with the active task schedule.
In accordance with this aspect of the invention, a computer system is provided that executes scheduled tasks with a reduced likelihood of a critical failure.
The computer system is arranged to execute tasks in accordance with one or more predetermined task schedules. The task schedules determine the order in which tasks are executed and specify whether or not specific tasks are allowed to interrupt other tasks. The tasks are executed on the Main Processor.
Typically during operation, there is only ever one predetermined task schedule active at any particular point in time (that is, the “active task schedule”).
Occasionally, due to programming errors, hardware defects or other unforeseen events, computer systems may execute the wrong task during the execution of a program. In certain applications this may result in a critical failure of the system as the Main Processor ceases to function predictably or ceases to function altogether. Depending on the application of the computer system, this could lead to highly undesirable consequences such as danger to life (for example in aviation control systems) or exposure to financial losses (for example in financial trading applications).
Unlike conventional systems, in accordance with this aspect of the invention, the computer system is provided with a Monitor Processor.
The Monitor Processor is arranged to obtain information from the Main Processor about at least some of the tasks that the Main Processor plans to execute, before the tasks concerned are executed. This enables the Monitor Processor to determine in advance whether the Main Processor is about to execute a critical task that is not in accordance with the active task schedule. This provides the Monitor Processor with an opportunity to take appropriate corrective action, by virtue of a Control Mechanism, before the Main Processor executes a task that is not in accordance with the active task schedule. Such corrective action may—for example—include halting the Main Processor: when the Main Processor halts, this means that it will stop operating and will remain in a fixed state, typically until outside intervention occurs (for example, intervention by a trained operator). Alternatively, such corrective action may—for example—include resetting the Main Processor: when the Main Processor resets, this means that it will begin its operations again, from a known initial state. Further alternatively, such corrective action may include disabling devices that are under the control of the Main Processor: for example, this might mean removing power from a medical device that is being controlled by the Main Processor, thereby preventing harm to a patient.
The Main Processor and the Monitor Processor may each comprise one or more “soft” or “hard” processor cores (that execute some software) and/or one or more hardware cores (that do not execute any software).
Optionally, the Main Processor and the Monitor Processor will both be implemented by means of a single processor chip, such as a commercial-off-the-shelf (COTS) microcontroller or microprocessor, Digital Signal Processor (DSP), Field-Programmable Gate Array (FPGA), Application Specific Integrated Circuit (ASIC) or similar device.
Preferably, the Main Processor and the Monitor Processor will be implemented by means of separate processor chips.
Preferably, the Main Processor and the Monitor Processor will be physically separated.
Preferably, the Main Processor will comprise a time-triggered scheduler.
Optionally, the Main Processor will comprise a time triggered cooperative (TTC) scheduler or a time triggered hybrid (TTH) scheduler.
Optionally, one or more of the tasks executing on the Main Processor will have been “balanced”, to ensure that the task execution time is approximately the same every time the task is executed.
Preferably, the Monitor Processor will have access to at least one predetermined Task Sequence Representation, this Task Sequence Representation having been determined and stored at a time before the computer system begins to operate.
Optionally, the Monitor Processor will create one or more Task Sequence Representations during the system operation.
Optionally, the Monitor Processor will create one or more Task Sequence Representations during the system operation by recording the task sequence from the Main Processor at points during the system operation.
Alternatively, the Monitor Processor will create one or more Task Sequence Representations during the system operation by running a scheduling algorithm on the Monitor Processor that is similar to the scheduling algorithm that is running on the Main Processor.
Optionally, each Task Sequence Representation will be stored in one or more data-storage devices.
Optionally, there will be two or more copies of one or more stored Task Sequence Representations, these copies being held in one or more data-storage devices.
Optionally, the Monitor Processor will not process information about the next task to be executed for every task in the active task schedule.
Optionally, the Communication Link will comprise a peer-to-peer connection based on a standard serial protocol (such as RS-485, RS-422, RS-232, Controller Area Network, SPI, I2C or similar).
Optionally, the Control Mechanism will comprise a System Control output and/or a Reset Link, and/or a Communication Link B.
Optionally, the System Control output will comprise one or more output pins on the Monitor Processor, and such pins may be further connected to one or more electromechanical relays or other actuators or similar devices. The intention is that—through this interface—the Monitor Processor is able to control one or more devices that are external to the computer system, if the Monitor Processor determines that the Main Processor is about to execute a task that is not in accordance with the active task schedule.
Optionally, the System Control output will further comprise a means of shutting down or disabling the computer system itself.
Optionally, the Reset Link will comprise a connection between an output pin on the Monitor Processor and a reset pin on the Main Processor.
Optionally, Communication Link B will comprise a peer-to-peer connection based on a standard serial protocol (such as RS-485, RS-422, RS-232, Controller Area Network, SPI, I2C or similar).
Optionally, the Monitor Processor will employ Communication Link B to inform the Main Processor whether or not the task execution that the Main Processor is about to perform is in accordance with the active task schedule.
Optionally, the Monitor Processor will employ Communication Link B to provide information to the Main Processor when the Main Processor is being configured after a reset.
Optionally, the Monitor Processor will, by meals of the Control Mechanism, cause the Main Processor to halt or reset, in situations where the Monitor Processor determines that the Main Processor is about to run a task that is not in accordance with the active task schedule.
Optionally, the process of halting the Main Processor in situations where the Monitor Processor determines that the Main Processor is about to run a task that is not in accordance with the active task schedule will further comprise an attempt to place the Main Processor into a safe state prior to halting the Main Processor.
Optionally, the Monitor Processor will signal an alarm if it determines that the Main Processor is about to execute a task that is not in accordance with the active task schedule.
Optionally, the Monitor Processor will log an error if it determines that the Main Processor is about to execute a task that is not in accordance with the active task schedule.
Optionally, the computer system will have a System Reset input, the use of which will cause the Main Processor to re-start its operations from a known initial state.
Optionally, the computer system will have a System Halt input, the use of which will cause the system to stop operating.
According to a second aspect of the present invention, there is provided a time-triggered computer system comprising a processor for running:
-
- a Main Process adapted to execute one or more tasks according to one or more predetermined task schedules, only one of which, an active task schedule, will be active at any point in time; and
- a Monitor Process adapted to determine whether the Main Processor is about to execute a task that is not in accordance with the active task schedule; and
- a Communication Link for passing information about future task executions between the Main Process and the Monitor Process; and
- a Control Mechanism by means of which the Monitor Process can halt or reset the Main Process and take other corrective actions involving devices to which the computer system is connected, if the Monitor Process determines that the Main Process is about to execute a task that is not in accordance with the active task schedule.
According to a third aspect of the present invention, there is provided a method of controlling a time-triggered computer system that has been adapted to execute one or more tasks according to one or more predetermined task schedules, only one of which, an active task schedule, will be active at any point in time, the method comprising the steps of:
-
- determining whether a task is about to be executed that is not in accordance with the active task schedule; and
- controlling the execution of the one or more tasks, if it is determined that a task is about to be executed that is not in accordance with the active task schedule; and
- controlling the operation of the one or more devices to which the computer system is connected, if it is determined that a task is about to be executed that is not in accordance with the active task schedule.
In accordance with this third aspect of the invention, a method for controlling the execution of the one or more tasks may comprise halting, or restarting, or replacing the one or more tasks.
In accordance with this third aspect of the invention, the method may further comprise creating and storing one or more Task Sequence Representations, the Task Sequence Representations being determined by observing the operation of the system at points during the system operation.
In accordance with this third aspect of the invention, a method for controlling the operation of the one or more devices may comprise shutting down, disabling, enabling or configuring the one or more devices.
In accordance with this third aspect of the invention, a method for controlling the operation of the one or more devices may further comprise shutting down or disabling the computer system itself.
According to a fourth aspect of the present invention, there is provided a computer program product containing one or more sequences of machine-readable instructions, the instructions being adapted to cause one or more processors to provide a processing system according to the first aspect.
According to a fifth aspect of the present invention, there is provided a computer program product containing one or more sequences of machine-readable instructions, the instructions being adapted to cause one or more processors to provide a processing system according to the second aspect.
According to a sixth aspect of the present invention, there is provided a computer program product containing one or more sequences of machine-readable instructions, the instructions being adapted to cause one or more processors to provide a processing system according to the third aspect.
The present invention will now be described by way of example only and with reference to the accompanying figures in which:
We begin by describing some existing techniques that are employed to create computer systems that execute tasks according to a predetermined task schedule. We then go on to describe how the present invention can be used to improve the reliability and security of such computer systems.
Computer systems that execute tasks according to a predetermined task schedule are sometimes referred to as time-triggered (TT) systems. TT systems are typically (but not necessarily) implemented using a design based on a single interrupt linked to the periodic overflow of a timer.
For example,
In
In
In many designs, such a task sequence will be determined at design time (to meet the system requirements) and will be repeated “forever” when the system runs (until an error occurs, or the system is halted or powered down).
Sometimes it is helpful (for example, during the design process) to think of this task sequence as a “Tick List”: such a list lays out which task will execute in each system “Tick”, and the order in which these executions will occur.
For example, the Tick List corresponding to the task set shown in
[Tick 0]
Task A
Task C
[Tick 1]
Task B
Task D
Once the system reaches the end of the Tick List, it starts again at the beginning.
It should be made clear that the Timer Ticks need not be periodic in such systems. For example,
[Tick 0, t=0 ms]
Task P
[Tick 1, t=3 ms]
Task Q
[Tick 2, t=11 ms]
Task R
[Tick 3, t=17 ms]
Task S
[Tick 4, t=19 ms]
Task T
In
Note that implementation of TTC designs need not involve the use of interrupts at all. For example, we could execute the set of tasks shown in
Task A
Task C
[Delay]
Task B
Task D
[Delay]
Again, the above sequence would repeat “forever”. This type of solution is sometimes called a “Super Loop”. In general, control of the task timing is less precise in Super Loop systems than for those involving interrupts, but—for TTC designs with what is sometimes called “soft” timing constraints—use of a Super Loop may be appropriate.
Other popular TT designs involve the use of task pre-emption, where a high-priority task can interrupt (pre-empt) a lower-priority task while it (that is, the lower-priority task) is running. For example, the upper diagram 301 in
Implementation of TTH designs will generally involve the use of interrupts.
The task sequence for the task set shown in the upper diagram 301 in
For any set of periodic tasks, the cycle of task executions will always repeat, after an interval known as the hyperperiod (or “major cycle”). The length of the hyperperiod can be determined by calculating the “lowest common multiple” (LCM) of the periods of all tasks in the set.
For example, suppose that we have a set of two tasks, with periods of 4 ms and 5 ms.
The multiples of 4 are: 4, 8, 12, 15, 20, 24 . . .
The multiples of 5 are: 5, 10, 15, 20, 25 . . .
The lowest common multiple (and the length of the hyperperiod) is 20 ms.
Where a set of periodic tasks is asynchronous, there is a delay (or offset) before one or more tasks runs for the first time. This is the case—for example—in the task set shown 100 in
When a set of asynchronous periodic tasks runs, there may be an initial period during which the task sequence is not the same as the task sequence when the system is in a “steady state”. We refer to this initial period as the Task Sequence Initialisation Period.
Reference 4 demonstrates that—if required—the length of this Task Sequence Initialisation Period can be calculated by: (longest task offset)+2*(length of hyperperiod).
For example, for the following set of tasks:
Task_A: Period=5 ms, Offset=0 ms
Task_B: Period=10 ms, Offset=1 ms
Task_C: Period=25 ms, Offset=2 ms
Task_D: Period=25 ms, Offset=3 ms
Task E: Period=50 ms, Offset=4 ms
The length of the hyperperiod is 50 ms.
The length of the Task Sequence Initialisation Period is 104 ms.
Where a set of periodic tasks is synchronous, all tasks execute for the first time in the first Tick.
Both TTC and TTH designs (as well as other TT designs) may employ several task schedules, for use in different System Modes. For example,
When developing TT designs with multiple System Modes, we are likely to have a different Tick List for each System Mode.
Note that—during the system design—we may need to consider the Task Sequence Initialisation Period both when the system is initialised, and at any time at which the System Mode changes.
Note also that—for such a TT system design—we can determine at design time precisely what the task sequence will be when the system operates: this means that—if required—we can determine the task sequence even during the Task Sequence Initialisation Period (for asynchronous task sets). One convenient way of doing this is to treat the Task Sequence Initialisation Period as a separate System Mode.
Please note that the timing of the transition between System Modes may not be known in advance (because, for example, the time taken for the plane shown in
It will be appreciated that only one System Mode may be active at any point in time while the computer system is operating: this is referred to as the active System Mode. When in the active System Mode, the computer system will execute tasks in accordance with the active task schedule. In a computer system, the various task schedules for the various System Modes may be recorded in various Task Sequence Representations: the Task Sequence Representation corresponding to the active System Mode is referred to as the active Task Sequence Representation (or active TSR).
We now consider how TT designs are typically implemented in current systems. Further information about this topic can be found in Reference 5 and Reference 6.
For example, the following code illustrates an example of how three periodic tasks may be configured on a Main Processor using a standard TTC scheduler:
Please note that the code listing above shows a synchronous task set.
The following code listing shows an asynchronous task set:
In both of the code listings presented above (and in
Referring again to
Flexibility in the design process and the ability to recover from errors are two reasons why “dynamic” TT designs (with a separate timer ISR and task dispatch functions) are generally preferred over simpler designs in which tasks are dispatched from the timer ISR. In addition, separating the ISR and task dispatch functions also makes it very simple to create TT designs with support for task pre-emption (sometimes called “time-triggered hybrid”—TTH—designs).
As an example of a TTH scheduler design, please see
Please see Reference 5 and Reference 6 for further information about the implementation of different forms of TT scheduler.
We now consider how tasks are implemented in a typical TT design.
Reference 5 and Reference 6 provide non-limiting examples of the kinds of tasks that may be executed in TT systems, for example “RS-232 data transmission”, “display updates” and “PID control” tasks, including full implementation details. Other examples of tasks may involve reading input data, performing calculations and generating outputs.
Using a TT architecture allows a developer to ensure that some or all of the tasks in the system begin executing at precisely-determined points in time. However—in some real-time systems—care must still be taken when designing and implementing the tasks in order to ensure that all of the system timing requirements are met.
To understand why this is necessary, please consider the following example of a task which may be run on the Main Processor:
In this case, the worst-case execution time (WCET) of the task is known. Knowledge of WCET is a standard requirement for tasks in real-time embedded systems. In this case we know (only) that the task will generate certain outputs within A ms from the start of the task (where A is the known WCET of the task).
The listing below shows an alternative implementation of the task:
In this alternative implementation, the code in the task has been balanced. Slightly more formally this means that we know both the “worst case” (WCET) and “best case” (BCET) execution times of this task, and that BCET=WCET.
Where the code is balanced, it is possible to determine more precisely when particular task activities will be performed (at a time or times measured relative to the start of the task). In the example shown above, the task outputs will be generated in an interval starting A1 ms after the start of the task and finishing A2 ms later.
It may therefore be desirable to balance the task code. Balancing techniques include single-path programming (see Reference 7, Reference 8, Reference 9 and Reference 10) and Sandwich Delays (Reference 11).
We now describe how the present invention can be implemented in order to improve the reliability and security of computer systems that have been configured to run tasks according to a predetermined task schedule.
In
For example, the computer system may be implemented using a dual-core processor, with the Main Processor operating on one core and the Monitor Processor operating on the second core. As an alternative example, the computer system may be implemented on an FPGA platform, with the Main Processor implemented by means of a “soft” or “hard” processor core (and some software) and the Monitor Processor implemented using FPGA logic (without any software).
Preferably, however, the Main Processor and the Monitor Processor will be implemented on separate processor chips, thereby reducing the opportunities for common-mode failures in the error-detection process.
Also preferably, the Main Processor 801 and the Monitor Processor 802 will be physically separated (for example, the Main Processor 801 may be implemented on a processor chip that is located in the engine compartment in a passenger vehicle and the Monitor Processor 802 may be implemented on a processor chip that is located between seats in the passenger area), thereby (further) reducing the opportunities for common-mode failures in the error-detection process.
It will be appreciated that—whatever design and implementation options are selected for the Main Processor 801 and Monitor Processor 802 in a particular system—ensuring that the Main Processor 801 and the Monitor Processor 802 employ different hardware and/or software designs, may also reduce the opportunities for common-mode failures in the error-detection process.
Preferably, the Main Processor 801 comprises a time-triggered scheduler.
This time-triggered scheduler may (as a non-limiting example) be driven by a periodic source of interrupts. Alternatively (as another non-limiting example), this time-triggered scheduler may be driven by an aperiodic source of interrupts.
Optionally, the Main Processor 801 comprises a time triggered cooperative (TTC) scheduler or a time triggered hybrid (TTH) scheduler, similar to the designs described in detail in Reference 5.
Optionally, one or more of the tasks executing on the Main Processor 801 has been “balanced” to ensure that the task execution time is approximately the same every time the task is executed.
Preferably, the Monitor Processor 802 has access to at least one predetermined Task Sequence Representation 804 812 813 stored—for example—in internal memory 804 or an external data-storage device 812 813, this representation having been determined and stored before the computer system begins to operate.
As a non-limiting example, different types of internal memory 804 may be used to store the Task Sequence Representation 804 812 813: for example, RAM, ROM, Flash or EEPROM memory. Other ways of implementing such an internal memory device can also be employed (for example, using a collection of suitable gates in an FPGA device).
As an example of the implementation of a Task Sequence Representation 804 812 813, please refer to
In the above example, the array stores a representation of the tasks shown in
Optionally, the Monitor Processor 802 creates and stores one or more Task Sequence Representations 804 812 813 in—for example—an internal 804 or external memory device 812, 813, these representations being determined by observing the operation of the Main Processor 801 at points during the system operation. Optionally, the collection of task sequence information will be carried out when the computer system enters a particular System Mode for the first time.
Alternatively, the Monitor Processor 802 will create one or more Task Sequence Representations 804 812 813 during the system operation by running a scheduling algorithm on the Monitor Processor 802 that is similar to the scheduling algorithm that is running on the Main Processor 801.
There will often be a Task Sequence Representation 804 812 813 that corresponds to each different System Mode in the Main Processor 801.
Each Task Sequence Representation 804 812 813 may be stored in one or more data-storage devices 804 812 813.
Optionally, there will be two or more copies of one or more Task Sequence Representations 804 812 813, these copies being held in one or more data-storage devices 804 812 813. Optionally, the different copies of the Task Sequence Representation 804 812 813 will be compared at points during the system operation and—if found to be different—this event may be treated as a Data Error. Optionally, such a Data Error will be handled in the same way that a Task Sequence Error is handled.
Optionally, there will be three or more copies of one or more Task Sequence Representations 804 812 813: these copies may be held in one or more data-storage devices 804 812 813.
Optionally, the different copies of the Task Sequence Representation 804 812 813 will be compared at points during the system operation and—if found to be different—a decision about the correct sequence may be based on a majority decision; where a majority decision is not possible, this event may be treated as a Data Error. Optionally, such a Data Error will be handled in the same way that a Task Sequence Error is handled.
It will be appreciated that—whatever design and implementation options are selected for the Main Processor 801 and Monitor Processor 802 in a particular system—ensuring that the Main Processor 801 and the Monitor Processor 802 employ different approaches to determine which task should be executed next by the Main Processor 801 may reduce the opportunities for common-mode failures in the error-detection process. For example, one effective combination may be to use [i] a Main Processor 801 that comprises a (dynamic) TTC or TTH scheduler, by means of which it will determine which task to execute next based on calculations made at run time, and combine this with [ii] a Monitor Processor 802 that comprises a set of static Task Sequence Representations (where the Task Sequence Representations were determined at design time, before the system began executing).
The Communication Link 803 between the Main Processor 801 and the Monitor Processor 802 may be implemented using a wired serial connection, based on a standard protocol (for example, SPI, I2C, RS-232, RS-422, RS-485, CAN, etc) or a custom protocol. Alternatively, the Communication Link 803 between the Main Processor 801 and the Monitor Processor 802 may be implemented using a wired parallel interface (with, for example, one or more processor I/O pins used to represent the current state of the Main Processor). Alternatively, the Communication Link 803 between the Main Processor 801 and the Monitor Processor 802 may be implemented using an area of memory to which both processors have access. Alternatively, the Communication Link 803 between the Main Processor 801 and the Monitor Processor 802 may be implemented using a wireless protocol.
Optionally, the Monitor Processor will, by means of the Control Mechanism, cause the Main Processor to halt or reset, in situations where the Monitor Processor determines that the Main Processor is about to run a task that is not in accordance with the active task schedule.
Optionally, the process of halting the Main Processor in situations where the Monitor Processor determines that the Main Processor is about to run a task that is not in accordance with the active task schedule will further comprise an attempt to place the Main Processor into a safe state prior to halting the Main Processor. Such a safe state may be one in which—for example—the output pins of the Main Processor are set to levels that ensure that the any external equipment that is under the control of the computer system is shut down.
The Control Mechanism may comprise a System Control output 805 and/or a Reset Link 807, and/or a Communication Link B 806.
Optionally—as part of the Control Mechanism—the computer system will have a System Control output 805 that allows the system to control one or more external devices or systems and/or the computer system itself.
Optionally, the System Control output 805 will comprise one or more output pins on the Monitor Processor, and such pins may be further connected to one or more electromechanical relays or other actuators or similar devices.
Optionally, the System Control output 805 will allow the computer system to disconnect the Main Processor 801 from a power source, thereby halting the Main Processor 801 (and rendering it inoperative). Optionally, the System Control output 805 will allow the computer system to disconnect the Main Processor 801 from a power source temporarily, thereby “cycling the power” on the Main Processor 801 and causing it to reset. Optionally, the System Control output 805 will be used to disconnect the computer system from its own power source. Optionally, the System Control output 805 will be used to disconnect the computer system from other systems. Optionally, the System Control output 805 will be used to connect the computer system to other systems. Optionally, the System Control output 805 will be used to shut down devices that are under the control of the computer system. Optionally, the System Control output 805 will allow the computer system to disconnect one or more external devices from a power source, thereby rendering such devices inoperative. Optionally, the System Control output 805 will be used to enable devices that are under the control of the computer system. Optionally, the System Control output 805 will be used to enable safety systems on devices that are under the control of the computer system.
As a non-limiting example,
Optionally—as part of the Control Mechanism—there will be a Reset Link 807 between the Monitor Processor 802 and the Main Processor 801. Optionally, this Reset Link 807 will be implemented as a connection between an output pin on the Monitor Processor 802 and a reset pin on the Main Processor. Alternatively, this Reset Link 807 may be implemented as a connection between an output pin on the Monitor Processor 802 and an interrupt-related pin on the Main Processor. Alternatively, this Reset Link 807 may be implemented as a connection between an output pin on the Monitor Processor 802 and an input pin on the Main Processor. Alternatively, the Reset Link 807 may be any means of triggering a reset on the Main Processor.
Optionally—as part of the Control Mechanism—there will be a Communication Link B 806 between the Monitor Processor 802 and the Main Processor. Optionally, the Communication Link B 806 between the Monitor Processor 802 and the Main Processor 801 may be implemented using a wired serial protocol. Alternatively, the Communication Link B 806 between the Monitor Processor 802 and the Main Processor 801 may be implemented using a wired parallel protocol. Alternatively, the Communication Link B 806 between the Monitor Processor 802 and the Main Processor 801 may be implemented using an area of memory to which both processors have access. Alternatively, the Communication Link B 806 between the Monitor Processor 802 and the Main Processor 801 may be implemented wirelessly.
Optionally, by means of the Control Mechanism, the Monitor Processor 802 may reset the Main Processor 801, if it determines that the Main Processor 801 is about to execute a task that is not in accordance with the active task schedule.
Optionally, by means of the Control Mechanism, the Monitor Processor 802 may halt or reset the Main Processor, if it determines that the Main Processor 801 is about to execute a task that is not in accordance with the active task schedule.
Optionally, by means of the Control Mechanism, the Monitor Processor 802 will pass a message to the Main Processor 801 requesting that the Main Processor 801 reset itself or halt itself, if it determines that the Main Processor 801 is about to execute a task that is not in accordance with the active task schedule. It will be appreciated that such a request is intended to give the Main Processor 801 the opportunity to perform an “orderly shutdown”, if this is possible. It will also be appreciated that—if the Main Processor 801 is about to execute a task that is not in accordance with the active task schedule—then this may be symptomatic of significant problems or faults in the Main Processor. If—therefore—the Main Processor 801 does not comply with the above reset of halt request within a predetermined period, then—optionally, by means of the Control Mechanism—the Monitor Processor 802 will—for example—cycle the power to the Main Processor 801 (causing it to reset itself) or remove the power from the Main Processor 801 altogether (causing it to halt).
Optionally, by means of the Control Mechanism, the Monitor Processor 802 may reset or halt the Monitor Processor 802 if it receives no reports of activity about one or more tasks from the Main Processor 801 for a predetermined period.
Optionally, by means of the Control Mechanism, the Monitor Processor 802 may reset or halt the Main Processor 801 if it receives no reports of any task activity from the Main Processor 801 for a predetermined period.
Optionally, the Monitor Processor 802 may ignore reports of task activity from the Main Processor 801 at particular times during the system operation.
Optionally, the Monitor Processor 802 is configured to permit continued operation of the Main Processor 801 provided the number of detected errors is below a predetermined threshold.
Optionally, the Monitor Processor 802 is configured to permit continued operation of the Main Processor 801 provided the rate of detected errors is below a predetermined threshold.
Optionally, the Main Processor 801 may not send information about the next task to be executed for every task in the predetermined task schedule.
Optionally, the Monitor Processor 802 will signal an alarm if it determines that the Main Processor 801 is about to execute a task that is not in accordance with the active task schedule. Optionally, various forms of audible and/or visual signalling devices can be employed as an Error Signal device 808, such as a small buzzer or an LED or LCD device, or a form of wired or wireless connection to some form of manned or unmanned monitoring station.
Optionally, the Monitor Processor 802 will log an error if it determines that the Main Processor 801 is about to execute a task that is not in accordance with the active task schedule.
Optionally, different types of internal memory 804 may be used to implement an Error Log 809: for example, RAM, Flash or EEPROM memory. Other ways of implementing such an Error Log might also be employed (for example, using a collection of suitable gates in an FPGA device).
Optionally, different types of external memory 809 may be used to implement an Error Log 809: for example, RAM, Flash or EEPROM memory. Other ways of implementing such an Error Log might also be employed (for example, using a collection of suitable gates in an FPGA device, or a “hard disk”).
Optionally, the computer system may have a System Reset input 810, the use of which causes the Main Processor 801 to begin its operations from a known initial state. The System Reset input 810 may take the form of a switch or similar device that is located on or close to the computer system. Alternatively, the System Reset input 810 may be implemented through a wired or wireless interface that allows the system to be reset at a distance.
Optionally, the computer system may have a System Halt input 811, the use of which causes the system to stop operating. Optionally, the system will halt in a safe state. The System Halt input 811 may take the form of a switch or similar device that is located on or close to the computer system. Alternatively, the System Halt input 811 may be implemented through a wired or wireless interface that allows the system to be reset at a distance.
The task dispatcher 1000 shown in
One possible implementation of the other half of the monitoring process introduced in the present invention is shown in
The monitoring process starts by initialising the Main Processor 1101.
Optionally, the initialisation of the Main Processor 801 will be carried out by means of the Control Mechanism. For example, the Monitor Processor 802 may reset the Main Processor 801 by means of the Reset Link 807. Resetting the Main Processor 801 in this way may—for example—involve holding a reset pin on the Main Processor 801 in low state for a brief period (typically few milliseconds) and then releasing this pin, assuming that the reset pin is “active low”. Alternatively, the Monitor Processor 802 may—for example—cycle the power to the Main Processor 801 (causing it to reset itself), by means of the System Control output 805. Alternatively, the Monitor Processor 802 may—by means of Communication Link B 806—send a message to the Main Processor 801 requesting that the Main Processor 801 resets itself.
The Monitor Processor may employ Communication Link B to provide information to the Main Processor when the Main Processor is being configured after a reset. Such a link may be used to provide information to the Main Processor 801 about the required system state at the time of initialisation. Such information might be provided if the system has been reset because an error has been detected. Information provided may comprise the System Mode (at the time when the error was detected). Optionally, information provided may also comprise the system tick value (at the time when the error was detected). Through use of this information, the Monitor Processor 802 can help to restore the Main Processor 801 to a state very similar to the state before the error occurred. Alternatively, the Monitor Processor 802 may be pre-configured to provide different initialisation information in the event of a specific error, to ensure that the Main Processor operates safely in these circumstances.
Where the Monitor Processor 802 provides information to the Main Processor 801 about the required system state at the time of initialisation, this information may comprise messages delivered via Communication Link B 806: the system initialisation process may then comprise the system initialisation operation carried out at the start of the function main( ) 501 701.
Optionally, the Monitor Processor 802 may trigger an initialisation process and then wait for a fixed period before proceeding.
Optionally, the Main Processor 801 may send a message (over the Communication Link 803) to indicate that it has completed any initialisation.
In the next process in
As noted previously, the Task Sequence Representation that is used by the Monitor Processor 802 will preferably have been determined (and stored) before the computer system begins to operate. Process 1102 will then involve selecting this representation.
Alternatively, the Task Sequence Representation that is used by the Monitor Process 802 may—for example—be collected at run time by recording the task sequence provided by the Main Processor 801 at one or more points when the system is operational. Optionally, the collection of task sequence information (and the creation of the active Task Sequence Representation) will be carried out when the computer system enters a particular System Mode for the first time.
Optionally, the Task Sequence Representation (whether it is stored before the computer system begins to operate, or generated when the computer system is operational) will be stored in an internal 804 or external 812 813 data-storage device.
As noted previously, there may be several different Task Sequence Representations corresponding to several different System Moces. Optionally, these different Task Sequence Representations may be stored in different data-storage devices. Optionally, the Monitor Processor 802 will select the active Task Sequence Representation (corresponding to the active System Mode) 1102. We say more about the possible representation of the different System Modes below.
Optionally, the Monitor Processor 802 will then wait 1103 for the Main Processor 801 to complete a Task Sequence Initialisation Period corresponding to the active System Mode.
Optionally, the Monitor Processor 802 will ignore outputs from the Main Processor 801 during the Task Sequence Initialisation Period corresponding to the active System Mode.
Once the Main Processor 801 has initialised 1101, the Task Sequence Representation has been selected 1102 (and, optionally, collected 1102) and the System Mode initialisation is complete 1103, the Monitor Processor 802 begins the monitoring process 1104.
The monitoring process 1104 involves waiting for the Main Processor 801 to provide information about the next task that it intends to execute, and the Monitor Processor 802 checking that the task information provided by the Main Processor 801 matches the next entry in the active Task Sequence Representation that was selected previously 1102.
A possible implementation of the function for checking the task sequence is shown below. Please note that the code should be read in conjunction with the code for the TSR_G [ ] array presented previously.
During the monitoring process 1104, a Task Sequence Error will be identified 1106 if the proposed task execution (provided by the Main Processor 801) does not match the next entry in the active Task Sequence Representation 804 812 813.
Optionally during the monitoring process 1104, the timing of the arrival of the task sequence information from the Main Processor 801 may be checked 1105 and—if found to be inconsistent with predetermined time limits—a Task-Sequence Timing Error may be identified. Further optionally, a Task-Sequence Timing Error may be identified if the Monitor Processor 802 receives no reports of activity about one or more tasks from the Main Processor 801 for a predetermined period. Further optionally, a Task-Sequence Timing Error may be identified if the Monitor Processor 802 receives no reports of any task activity from the Main Processor 801 for a predetermined period.
In addition to handling any Task-Sequence Timing Errors 1105 and/or Task Sequence Errors 1106, the Monitor Processor 802 will also handle any requests to change mode 1107 from the Main Processor 801.
The non-limiting code example below illustrates how two different task sequences (representing two different System Modes) might be represented.
In the above example—as in previous examples—the arrays storing the Task Sequence Representations contain task IDs, with task ID values ranging from 0 to 5 in this case. Here, the two different task arrays (TSR2_G[ ] and TSR2_G[ ]) represent the different task sequences for two possible System Modes: these modes themselves have System Mode Ds (represented as SYSTEM_MODE_ID1 with a value of 200, and SYSTEM_MODE_ID2 with a value of 201 in this example).
We further assume (for the purposes of this non-limiting example only) that the system can operate with up to 200 possible system tasks, with task IDs ranging in value from 0 to 199. In this case, the Main Processor 801 could report the following information to the Monitor Processor 802 via the Communication Link 803:
In the above example, the values 200 are not valid task IDs, but they are valid System Mode IDs. This reflects the fact that at the start of the above sequence, the Main Processor 801 is executing tasks from the Task Sequence Representation with ID 200. After some time has passed, the Main Processor 801 indicates that the System Mode has now changed (for example, as a result of inputs from a user, or changes in the operating environment) and that it has begun to execute tasks from the Task Sequence Representation with ID 201.
Optionally during the monitoring process 1104, the timing of any changes to the System Mode may be checked and—if found to be inconsistent with predetermined values—a System-Mode Timing Error may be identified. Optionally, a System-Mode Timing Error will be identified if—for example—the System Mode changes more quickly or more slowly than predetermined limits would suggest is likely. Further optionally, a System-Mode Timing Error will be identified if the Monitor Processor receives no reports of System Mode changes from the Main Processor 801 for longer than a predetermined period.
Optionally during the monitoring process 1104, the sequence of any changes to the System Mode will be checked and—if found to be inconsistent with predetermined values—a System-Mode Sequence Error may be identified.
Optionally, in the event that a Task-Sequence Timing Error is identified 1105, or a System-Mode Timing Error is identified 1105, or a Task Sequence Error is identified 1106, or a System-Mode Sequence Error is identified 1106, the Monitor Processor 802 will signal 1109 the system state (e.g. via an Error Signal device 808) and/or log the system state (for example in an Error Log 809), and/or apply one or more system control operations by means of the System Control output 805.
Optionally, in the event that a Task-Sequence Timing Error is identified 1105, or a System-Mode Timing Error is identified 1105, or a Task Sequence Error is identified 1106, or a System-Mode Sequence Error is identified 1106, the Monitor Processor 802 will ignore this error, if the number of occurrences of the particular error is below a predetermined threshold.
Optionally, in the event that a Task-Sequence Timing Error is identified 1105, or a System-Mode Timing Error is identified 1105, or a Task Sequence Error is identified 1106, or a System-Mode Sequence Error is identified 1106, the Monitor Processor 802 will ignore this error, if the rate of occurrences of the particular error is below a predetermined threshold.
Optionally, the Monitor Processor 802 will also handle any requests to halt the computer system 1108. Such requests to halt the computer system may arise via the System Halt input 811. If a System Halt request is received, the Monitor Processor 802 may 1109 signal the system state (e.g. via an Error Signal device 808) and/or log the system state (for example in an Error Log 809), and/or apply one or more system control operations by means of the System Control output 805.
The algorithm 1100 illustrated in
In the case of a System Reset input 810, the Monitor Processor 802 may 1110 reset the Main Processor 801 by means of the Reset Link 807. Resetting the Main Processor 801 in this way may—for example—involve holding a reset pin on the Main Processor 801 in low state for a brief period (typically few milliseconds) and then releasing this pin, assuming that the reset pin is “active low”. Alternatively, the Monitor Processor 802 may—for example—cycle the power to the Main Processor 801 (causing it to reset itself), by means of the System Control output 805. Alternatively, the Monitor Processor 802 may send a message to the Main Processor 801 requesting that the Main Processor 801 resets itself, by means of Communication Link B 806.
The Monitor Processor 802 will cease it operations after completing the processes laid out in 1110.
Please note that—as explained previously—designers of TT systems often choose to balance the task code, to ensure that the system timing behaviour is temporally deterministic. Optionally, the use of balanced code may be employed in applications of the present invention.
The following non-limiting example illustrates why the use of code balancing may be of benefit when a TTH scheduler (or any other scheduler involving task pre-emption) is employed.
Please refer back to
The complete task sequence for the upper diagram 301 in
If the code for all of these tasks is balanced, then this sequence will always be the same (every time this sequence of tasks runs).
If the code is not balanced, then we may—for example—obtain the task sequence shown in the lower half of
There are further system halt and reset options available to the developer.
For example, in the event of an error, the Monitor Processor 802 may first request—via the Communication Link B 806—that the Main Processor 801 performs an orderly shut-down operation, as described (by way of a non-limiting example) in
As an example, the code listing below shows a TTC scheduler that might be employed on the Main Processor 1301 that is used in conjunction with the software shown schematically in
Part of the corresponding code running on the Monitor Processor 1302 might take the form shown in the listing below:
In this example, a version of the dispatcher function (as used in the Main Processor 1301 and described in detail—for example—in Reference 5) will be used—when required—to determine what task is due to execute next.
In
Optionally, the initialisation of the Main Process 1502 will be carried out by means of the Control Mechanism. For example, the Monitor Process 1503 may—for example—cause the Main Process 1502 (and the whole processor 1501) to reset by causing overflow of a “watchdog” timer. Alternatively, the Monitor Process 1503 may send a message to the Main Process 1502 requesting that the Main Process 1502 resets itself, by means of Communication Link B 1508.
Optionally, the Monitor Process 1503 will provide information to the Main Process 1502 about the required system state at the time of initialisation. Such information might be provided if the system has been reset because an error has been detected. Information provided may comprise the System Mode (at the time when the error was detected). Optionally, information provided may also comprise the system tick value (at the time when the error was detected). Through use of this information, the Monitor Process 1503 can help to restore the Main Process 1502 to a state very similar to the state before the error occurred. Alternatively, the Monitor Process 1503 may be pre-configured to provide different initialisation information in the event of an error, to ensure that the Main Process operates safely in these circumstances.
Where the Monitor Process 1503 provides information to the Main Process 1502 about the required system state at the time of initialisation, this information may comprise messages delivered via Communication Link B 1508: the system initialisation process may then comprise the system initialisation operation carried out at the start of the function main( ) 501, 701.
Optionally, the Monitor Process 1503 may trigger an initialisation process and then wait for a fixed period before proceeding.
Optionally, the Main Process 1502 may send a message (over the Communication Link 1504) to indicate that it has completed any initialisation.
The monitoring process 1600 (shown in
Throughout the specification, unless the context demands otherwise, the terms ‘comprise’ or ‘include’, or variations such as ‘comprises’ or ‘comprising’, ‘includes’ or ‘including’ will be understood to imply the inclusion of a stated integer or group of integers, but not the exclusion of any other integer or group of integers.
REFERENCES
- 1. Keith M. Klug, Steven R. Tugenberg “Functional lockstep arrangement for redundant processors”, U.S. Pat. No. 5,226,152 A, 1993.
- 2. Nahmsuk Oh, Philip P. Shirvani and Edward J. McCluskey, “Control Flow Checking by Software Signatures”, Technical Report CRC-TR00-4, Center for Reliable Computing, Stanford University, 2000.
- 3. M. J. Pont and H. L. R. Ong “Using watchdog timers to improve the reliability of TTCS embedded systems”, in Hruby, P. and Soressen, K. E. [Eds.] Proceedings of the First Nordic Conference on Pattern Languages of Programs, September, 2002 (“VikingPloP 2002”), pp. 159-200. Published by Micrsoft Business Solutions. ISBN: 87-7849-769-8, 2003.
- 4. J.-T. Leung and M. Merril. “A note on preemptive scheduling of periodic real-time tasks”, Information Processing Letters, 3(11), 1980.
- 5. M. J. Pont, “Patterns for Time-Triggered Embedded Systems”, Addison-Wesley/ACM Press, 2001.
- 6. M. J. Pont, “Embedded C”, Addison-Wesley, 2002.
- 7. P. Puschner and A. Burns, “Writing temporally predictable Code,” in Proceedings of the seventh International Workshop on Object-Oriented Real-Time Dependable Systems, 2002.
- 8. P. Puschner, “Is WCET Analysis a non-problem? Towards new Software and Hardware architectures,” in 2nd International Workshop on Worst Case Execution Time Analysis, Vienna, Austria, June 2002.
- 9. R. Kirner and P. Puschner, “Discussion of Misconceptions about WCET Analysis,” in 3rd Euromicro International workshop on WCET Analysis, 2003.
- 10. A. K. Gendy and M. J. Pont “Towards a generic ‘Single Path Programming’ solution with reduced power consumption”, in International Design Engineering Technical Conferences & Computers and Information in Engineering Conference IDETC/CIE 2007, Las Vegas, Nev., USA, 2007.
- 11. M. J. Pont, S. Kurian, and R. Bautista-Quintero, “Meeting Real-time Constraints Using ‘Sandwich Delays’,” TPLOP, LNCS, pp. 94-102, 2009.
Claims
1. A time-triggered computer system comprising:
- a Main Processor adapted to execute one or more tasks according to one or more predetermined task schedules, only one of which, an active task schedule, will be active at any point in time;
- a Monitor Processor adapted to determine whether the Main Processor is about to execute a task that is not in accordance with the active task schedule;
- a Communication Link for passing information about future task executions between the Main Processor and the Monitor Processor; and
- a Control Mechanism adapted to at least one of halt and reset the Main Processor, and at least one of control and disable connected devices controlled by the Main Processor, when the Monitor Processor determines that the Main Processor is about to execute the task that is not in accordance with the active task schedule.
2. The computer system according to claim 1 wherein the Main Processor and the Monitor Processor each comprises at least one core selected from the group consisting of a soft processor core that executes software, a hard processor core that executes software, and a hardware core that does not execute any software.
3. The computer system according to claim 1 wherein the Main Processor and the Monitor Processor are both implemented by means of a single processor chip.
4. The computer system according to claim 1 wherein the Main Processor and the Monitor Processor are implemented by means of separate processor chips.
5. The computer system according to claim 4 wherein the Main Processor and the Monitor Processor are physically separated.
6. The computer system according to claim 1 wherein the Main Processor comprises a time-triggered scheduler.
7. The computer system according to claim 6 wherein the Main Processor comprises a time-triggered cooperative (TTC) scheduler or a time-triggered hybrid (TTH) scheduler.
8. The computer system according to claim 1 wherein at least one of the tasks executing is a balanced task adapted to execute on the Main Processor in approximately the same amount of execution time each time the balanced task is executed.
9. The computer system according to claim 1 wherein the Monitor Processor has access to at least one predetermined Task Sequence Representation that was determined and stored at a time before the computer system begins to operate.
10. The computer system according to claim 1 wherein the Monitor Processor creates one or more Task Sequence Representations during operation of the computer system.
11. The computer system according to claim 10 in which the Monitor Processor creates the one or more Task Sequence Representations by recording a task sequence from the Main Processor at points during operation of the computer system.
12. The computer system according to claim 10 in which the Monitor Processor is adapted to create the one or more Task Sequence Representations by running a scheduling algorithm on the Monitor Processor that is similar to a scheduling algorithm that is running on the Main Processor.
13. The computer system according to claim 1 wherein each Task Sequence Representation is stored in one or more data-storage devices.
14. The computer system according to claim 1 wherein two or more copies of the one or more stored Task Sequence Representations are held in one or more data-storage devices.
15. The computer system according to claim 1 wherein the Monitor Processor does not process the information about future task executions for every task according to the active task schedule.
16. The computer system according to claim 1 wherein the Communication Link comprises a peer-to-peer connection based on a standard serial protocol.
17. The computer system according to claim 1 wherein the Control Mechanism comprises at least one of a System Control Output, a Reset Link, a Communication Link B.
18. The computer system according to claim 17 wherein the System Control Output comprises one or more output pins on the Monitor Processor.
19. The computer system according to claim 18 wherein the one or more output pins on the Monitor Processor are connected to one or more devices selected from the group consisting of electromechanical relays and actuators.
20. The computer system according to claim 17 wherein the System Control Output further comprises a means of disabling the computer system
21. The computer system according to claim 17 wherein the Reset Link comprises a connection between an output pin on the Monitor Processor and a reset pin on the Main Processor.
22. The computer system according to claim 17 wherein the Communication Link B comprises a peer-to-peer connection based on a standard serial protocol.
23. The computer system according to claim 17 wherein the Monitor Processor is adapted to employ the Communication Link B to inform the Main Processor whether or not the the Main Processor is about to execute a task that is in accordance with the active task schedule.
24. The computer system according to claim 17 wherein the Monitor Processor is adapted to employ the Communication Link B to provide information to the Main Processor when the Main Processor is being configured after a reset.
25. The computer system according to claim 17 wherein the Monitor Processor is adapted to cause, by means of the Control Mechanism, the Main Processor to at least one of halt and reset, in situations where the Monitor Processor determines that the Main Processor is about to execute the task that is not in accordance with the active task schedule.
26. The computer system according to claim 25 wherein the Monitor Processor is adapted to attempt to place the Main Processor into a safe state prior to halting the Main Processor.
27. The computer system according to claim 1 wherein the Monitor Processor is adapted to signal an alarm when the Monitor Processor determines that the Main Processor is about to execute the task that is not in accordance with the active task schedule.
28. The computer system according to claim 1 wherein the Monitor Processor is adapted to log an error when the Monitor Processor determines that the Main Processor is about to execute the task that is not in accordance with the active task schedule.
29. The computer system according to claim 1 wherein the computer system has a System Reset Input, the use of which restarts operation of the Main Processor from a known initial state.
30. The computer system according to claim 1 wherein the computer system has a System Halt Input, the use of which stops operation of the computer system to stop operating.
31. A time-triggered computer system comprising a processor for running:
- a Main Process adapted to execute one or more tasks according to one or more predetermined task schedules, only one of which, an active task schedule, will be active at any point in time;
- a Monitor Process adapted to determine whether the Main Process is about to execute a task that is not in accordance with the active task schedule;
- a Communication Link for passing information about future task executions between the Main Process and the Monitor Process; and
- a Control Mechanism adapted to at least one of halt and reset the Main Process, and at least one of control and disable connected devices controlled by the Main Process, when the Monitor Process determines that the Main Process is about to execute the task that is not in accordance with the active task schedule.
32. A method of controlling a time-triggered computer system that has been adapted to execute one or more tasks according to one or more predetermined task schedules, only one of which, an active task schedule, will be active at any point in time, the method comprising the steps of:
- determining that the computer system is about to execute a task that is not in accordance with the active task schedule;
- controlling execution of the one or more tasks; and
- controlling operation of one or more devices connected to the computer system.
33. The method according to claim 32 wherein the controlling execution of the one or more tasks comprises at least one of halting, restarting, and replacing the one or more tasks.
34. The method according to claim 32 further comprising creating and storing one or more Task Sequence Representations that are determined by observing operation of the computer system at points during operation of the computer system.
35. The method according to claim 32 wherein the controlling operation of the one or more devices comprises at least one of shutting down, disabling, enabling, and configuring the one or more devices.
36. The method according to claim 32 wherein the method further comprises at least one of shutting down and disabling the computer system.
37. A computer program product containing one or more sequences of machine-readable instructions, the instructions being adapted to cause one or more processors to provide the computer system according to claim 1.
38. A computer program product containing one or more sequences of machine-readable instructions, the instructions being adapted to cause one or more processors to provide a the computer system according to claim 31.
39. A computer program product containing one or more sequences of machine-readable instructions, the instructions being adapted to cause one or more processors to provide a the method according to claim 32.
Type: Application
Filed: Mar 16, 2015
Publication Date: Apr 13, 2017
Inventor: Michael Joseph Pont (Great Dalby)
Application Number: 15/035,083