Overview
498
SPNU563A – March 2018
Copyright © 2018, Texas Instruments Incorporated
CPU Compare Module for Cortex-R5F (CCM-R5F)
13.1 Overview
Safety-critical applications require run-time detection of faults in critical components in the device such as
the Central Processing Unit (CPU) and the Vectored Interrupt Controller Module (VIM). For this purpose,
the CPU Compare Module for Cortex-R5F (CCM-R5F) compares the core bus outputs of two Cortex-R5F
CPUs running in a 1oo1D (one-out-of-one, with diagnostics) lockstep configuration. This microcontroller
also implements two VIM modules in 1oo1D (one-out-of-one, with diagnostic) lockstep configuration. Any
difference in the core compare bus outputs of the CPUs or the VIMs is flagged as an error. For diagnostic
purposes, the CCM-R5F also incorporates a self-test capability to allow for boot time checking of
hardware faults within the CCM-R5F itself.
In addition to comparing the CPU's and VIM's outputs for fault detection during run-time, the CCM-R5F
also incorporates two additional run-time diagnostic features.
The first additional measure is the Checker CPU Inactivity Monitor which will monitor the checker CPU's
key bus signals to the interconnect. When the two CPUs are in lockstep configuration, several key bus
signals from the checker CPU which would have indicated a valid bus transaction to the interconnect on
the microcontroller will be monitored. A list of the signals to be monitored is provided in
. These
signals from the checker CPU are expected to be inactive. All transactions between the lockstep CPUs
and the rest of the system should only go through the main CPU. Any signals which indicate activity will
be flagged as an error.
The second feature is the Power Domain (PD) Inactivity Monitor. Similar to the Checker CPU Inactivity
Monitor in concept, the Power Domain Inactivity Monitor will monitor key bus signals for bus masters
residing in power domains which are turned off. When a power domain is turned off, the boundary of the
power domain is isolated from the rest of the system. Bus signals which would have indicated a valid bus
transaction onto the interconnect are monitored. Any signals which indicate active state will be flagged as
an error.
13.1.1 Main Features
The main features of the CCM-R5F are:
•
Run-time detection of faults
–
Run-time compare of CPU's outputs
–
Run-time compare of VIM's outputs
–
Run-time inactivity monitor on the checker CPU's bus signals to the interconnect
–
Run-time inactivity monitor on the power domains' bus signals to the interconnect
•
self-test capability
•
error forcing capability
13.1.2 Block Diagram
shows the interconnect diagram of the CCM-R5F with the two Cortex-R5F CPUs and the two
VIMs. The core bus outputs of the CPUs are compared in the CCM-R5F. To avoid common mode
impacts, the signals of the CPUs to be compared are temporally diverse. The output signals of the master
CPU are delayed 2 cycles while the input signals of checker CPU are delayed 2 cycles. The two cycle
delay strategy is also deployed between the two VIM modules. While in lockstep mode, the checker CPU's
output signals to the system are clamped to inactive safe values. Key signals which would have indicated
a valid bus transaction to the interconnect are monitored by the CCM-R5F. The same approach is used for
the key power domains if inactive signals indicate that bus masters inside these power domains are
asserting valid bus transactions.