(19)
(11)EP 3 667 502 A1

(12)EUROPEAN PATENT APPLICATION

(43)Date of publication:
17.06.2020 Bulletin 2020/25

(21)Application number: 19208269.1

(22)Date of filing:  11.11.2019
(51)International Patent Classification (IPC): 
G06F 11/07(2006.01)
(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR
Designated Extension States:
BA ME
Designated Validation States:
KH MA MD TN

(30)Priority: 11.12.2018 GB 201820116

(71)Applicant: Rolls-Royce plc
London N1 9FX (GB)

(72)Inventor:
  • Brookes, David
    Derby, Derbyshire DE24 8BJ (GB)

(74)Representative: Rolls-Royce plc 
Intellectual Property Dept SinA-48 PO Box 31
Derby DE24 8BJ
Derby DE24 8BJ (GB)

  


(54)SINGLE EVENT EFFECT MITIGATION


(57) A multi-logic device system, an electronic engine controller, and a method of operating the multi-logic device system. The multi-logic device system includes a primary logic device which is more resilient to single event effects, and one or more secondary logic devices, each secondary logic device being powered by a respective power supply unit and being more susceptible to single event effects. The primary logic device is configured to run, for each secondary logic device, a respective watchdog timer. Each watchdog timer is restarted upon receipt of a restart signal from the respective secondary logic device. The primary logic device is also configured, in response to a watchdog timer timing out, to identify and reset the secondary logic device corresponding to the timed out watchdog timer.




Description

Field of the Disclosure



[0001] The present disclosure relates to a multi-logic device system, electronic engine controller, and method of operating the multi-logic device system.

Background of the Disclosure



[0002] There is a desire to increase the use of higher performance commercial off-the-shelf processors in roles where, conventionally, bespoke processors have been used. This is driven by the increased computational demand being placed on processors operating with, for example, aircraft or gas turbine engines.

[0003] However commercial off-the-shelf processors generally have very small geometries, sometimes on the order of tens of nanometres. These smaller logic elements are more susceptible to single event effects i.e. effects due to radiation impinging the processor. For example, it has been known for processors to change state due to an ionizing particle striking a sensitive node in a processor. This is known as a single event upset or SEU. Whilst SEUs are easily remedied, e.g. via a software reset, an SEU can lead to a single event latch-up, or SEL. SELs are more serious, as they can require the power provided to the processor to be cycled to clear the fault. Such processors are generally assigned a lower design assurance level than processors which have been hardened to single event effects, or which have been proven to be impervious to SEU or SEL.

[0004] It is important then to identify and resolve single event effects quickly and effectively. This is especially true in the context of aircraft or gas turbine engine control, where safety critical systems may be monitored and/or controlled by commercial off-the-shelf processors.

Summary of the Disclosure



[0005] Accordingly, in a first aspect, the disclosure provides a multi-logic device system comprising:

a primary logic device, said primary logic device being more resilient to single event effects;

one or more secondary logic devices, each secondary logic device being powered by a respective power supply unit, said one or more secondary logic devices being more susceptible to single event effects;

wherein the primary logic device is configured to run, for each secondary logic device, a respective watchdog timer, wherein each watchdog timer is restarted upon receipt of a restart signal from the respective secondary logic device; and

wherein the primary logic device is configured, in response to a watchdog timer timing out, to identify and reset the secondary logic device corresponding to the timed out watchdog timer.



[0006] By locating the watchdog timer in a logic device, which is relatively resilient to radiation, faults due to single event effects in the secondary logic devices can be detected and mitigated more effectively.

[0007] The multi-logic device system may have any one or, to the extent that they are compatible, any combination of the following optional features.

[0008] The primary logic device may be a processor, or field programmable gate array (FPGA). The secondary logic devices may be processors or FPGAs. Where the primary logic device and secondary logic devices are processors, the system may be referred to a multi-processor system.

[0009] The single event effects may include single event latch-ups and a single event upsets.

[0010] Resetting the identified secondary logic device may include performing a power cycle of the respective power supply unit.

[0011] There may be a plurality of secondary logic devices, grouped by design assurance level, wherein secondary logic devices having the same design assurance level share a same power supply unit.

[0012] Each power supply unit may include a power supply short circuit protection unit added to an input of the logic rail conditioning of each secondary logic device. This can help ensure that a fault in one or more secondary logic devices does not affect the primary logic device as, when a latch-up occurs, the supply current to the secondary logic device can be limited and thus does not collapse the supply to the primary logic device.

[0013] Each secondary logic device may include logic elements with a size or no more than 70 nm.

[0014] The primary logic device may be hardened to single event effects. For example, the primary logic device may be encased in radiation shielding and/or be more tolerant to single event upset through design (e.g. further epitaxial layers).

[0015] In a second aspect, the disclosure provides an electronic engine controller, which includes the multi-logic device system of the first aspect. The multi-logic device system of the second aspect may have any one, or to the extent they are compatible, any combination of the optional features of the first aspect. The electronic engine controller may be an electronic engine controller of a gas turbine engine, typically an aero engine. Indeed, in a third aspect, the disclosure provides a gas turbine engine having the electronic engine controller of the second aspect.

[0016] In a fourth aspect, the disclosure provides a method of operating the multi-logic device system of the first aspect, the method comprising the steps of:

operating a respective watchdog timer, on the primary logic device, for each of the secondary logic devices, each watchdog timer being restarted upon receipt of a restart signal from the respective secondary logic device;

using the primary logic device to detect a time out event of a watchdog timer, and identify the secondary logic device corresponding to the timed out watchdog timer; and

using the primary logic device to reset the secondary logic device corresponding to the timed out watchdog timer.



[0017] The multi-logic device system used in the method of the fourth aspect may have any one, or to the extent they are compatible, any combination of the optional features of the first aspect.

Brief description of the drawings



[0018] Embodiments of the invention will now be described by way of example with reference to the accompanying drawings in which:

Figure 1 shows a schematic of a multi-logic device system according to the present disclosure; and

Figure 2 shows a flow diagram of a method according to the present disclosure.


Detailed Description



[0019] Aspects and embodiments of the present disclosure will now be discussed with reference to the corresponding drawings. Other aspects and embodiments will be apparent to those skilled in the art.

[0020] Figure 1 shows a multi-logic device system 100, which includes multiple processors. A primary processor 101, is connected to two secondary processors: 102a and 102b. Each secondary processor has an associated power supply unit 104a and 104b, to which is it connected through respective logic rails 114a and 114b. In some examples, the power supply units 104a / 104b may be power lines from a central power supply unit where each power line is protected by a short circuit protection device.

[0021] In use, the primary processor 101 operates a watchdog timer for each of the secondary processors. Therefore, in normal operation, each of the secondary processors sends a reset signal to the primary processor via respective connections 110a and 110b within a predetermined period. This reset signal resets the respective watchdog timer, and as a result the primary processor 101 can ascertain that the respective secondary processor is functioning normally.

[0022] In the event of a fault in one of the secondary processors 102a, 102b, for example a single even upset or single event latch-up, the secondary processor will not send the reset signal within the required time period. Once the time period has elapsed, the watchdog running in the primary processor 101 corresponding to the secondary processor times out. In response to this time out, the primary processor will instigate one or more corrective actions.

[0023] In this example, the primary processor 101 will send a power supply reset signal via connection 112a or 112b to the power supply unit 104a, 104b which powers the secondary processor which has encountered the fault. This reset signal may cause either or both of: a software reset, or a power cycle of the power supply unit.

[0024] Thereafter, the fault should be cleared from the secondary processor 102a, 102b, which can then recommence normal operations.

[0025] In this example, primary processor 101 is assigned to a design assurance group 106. This group 106 should be the highest design assurance level in the system, generally C or higher per DO-178C, Software Considerations in Airborne Systems and Equipment Certification, published by RTCA, Incorporated. Whereas, the secondary processors 102a and 102b are assigned, respectively, to design assurance groups 108a and 108b. These design assurance groups are not higher in assurance level than design assurance group 106. Each design assurance group may contain a plurality of secondary processors, all having the same design assurance level. In this example, design assurance group 108a has a design assurance level C, whereas design assurance group 108b has design assurance level E.

[0026] Figure 2 shows a flow diagram illustrating a method of using the multi-processor system in Figure 1. In a first step, 202, a watchdog timer is operated for each secondary processor. These watchdog timers are operated by the primary processor.

[0027] Next, in step 204, a check is made as to whether a watchdog timer has timed out. If no watchdog timer has timed out, the method returns to step 204 and a loop is created until one of the watchdog timers has timed out.

[0028] Once a time out has been detected, the method moves to step 206 wherein a secondary processor associated with the timed out watchdog timer is identified. Subsequently, in step 208, the identified secondary processor is reset and the method returns to step 204 and monitors for a timed out watch dog timer.

[0029] While the examples has been described in conjunction with the exemplary embodiments described above, many equivalent modifications and variations will be apparent to those skilled in the art when given this disclosure. Accordingly, the exemplary embodiments set forth above are considered to be illustrative and not limiting. Various changes to the described embodiments may be made without departing from the scope of the disclosure defined in the following claims.


Claims

1. A multi-logic device system (100), comprising:

a primary logic device (101), said primary logic device being more resilient to single event effects;

one or more secondary logic devices (102a, 102b), having power supply units (104a, 104b), said one or more secondary logic devices being more susceptible to single event effects;

wherein the primary logic device is configured to run, for each secondary logic device, a respective watchdog timer, wherein each watchdog timer is restarted upon receipt of a restart signal from the respective secondary logic device; and

wherein the primary logic device is configured, in response to a watchdog timer timing out, to identify and reset the secondary logic device corresponding to the timed out watchdog timer.


 
2. The multi-logic device system of claim 1, wherein the single event effects include single event latch-ups and single event upsets.
 
3. The multi-logic device system of either claim 1 or claim 2, wherein resetting the identified secondary logic device includes performing a power cycle of the respective power supply unit.
 
4. The multi-logic device system of any preceding claim, wherein there is a plurality of secondary logic devices, grouped by design assurance level, wherein secondary logic devices having the same design assurance level share a same power supply unit.
 
5. The multi-logic device system of any preceding claim, wherein each power supply unit includes a power supply short circuit protection unit.
 
6. The multi-logic device system of any preceding claim, wherein each secondary logic device includes logic elements with a size of no more than 70 nm.
 
7. The multi-logic device system of any preceding claim, wherein the primary logic device is hardened to single event effects.
 
8. An electronic engine controller, including the multi-logic device system of any preceding claim.
 
9. A gas turbine engine, including the electronic engine controller of claim 8.
 
10. A method of operating the multi-logic device system of any one of claims 1 - 7, the method comprising the steps of:

operating a respective watchdog timer (202), on the primary logic device, for each of the secondary logic devices, each watchdog timer being restarted upon receipt of a restart signal from the respective secondary logic device;

using the primary logic device to detect a time out event of a watchdog timer (204), and identify the secondary logic device corresponding to the timed out watchdog timer (206); and

using the primary logic device to reset the secondary logic device corresponding to the timed out watchdog timer (208).


 




Drawing










Search report









Search report