FIELD OF THE INVENTION
The invention relates to the field of hardening techniques of
electronic circuits, more particularly to logical hardening techniques using
modular redundancy.
5
PRIOR ART
The majority of electronic components of electronic circuits is
sensitive to electromagnetic radiation which can generate Single Event
Transient.
10 Triple modular redundancy (TMR) is a logical hardening technique
consisting of introducing redundancy to an electronic circuit at the design
stage.
In reference to figure 1, a module M ensuring a given function is
replaced according to this technique by a TMR bloc comprising three
15 identical modules M in parallel performing the same function, and an
arbiter placed at their respective outputs. The arbiter forms a majority vote
from the output signals of the three replicated modules and produces a
non–ambiguous output signal by means of the odd number of these
modules. This output signal is correct even if one of the three modules is
20 faulty, which can constitute sufficient efficacy in many practical cases. The
occurrence of several simultaneous faults however will produce incorrect
output.
A first category of logical hardening techniques proposes selecting
in a complex circuit without redundancy sub–circuits particularly sensitive
25 to faults and replacing each sub–circuit identified by a TMR block ensuring
the same function. These are STMR techniques, “Selective TMR”, as
some parts of the circuit are not replicated.
STMR techniques however are not adapted to circuits requiring a
very high level of reliability, such as for example circuits potentially
30 integrated into electrical control–command equipment of nuclear power
plants.
Another category of logical hardening techniques via partitioning
proposes inserting extra arbiters into a circuit already forming a TMR block
on a series of N modules M1, …, MN in its entirety. The insertion of
35 arbiters divides the circuit into partitions each comprising one arbiter. The
3
single fault restriction mentioned previously is limited to each partition. So
if there are J partitions C1, …, Cj the circuit can be tolerant up to J
simultaneous faults, provided there is no more than one fault per partition.
Yet, arbiters with majority vote are particularly heavy components,
as they require a high level of internal reliability. Consequently, hardenin5 g
by partitioning therefore causes a substantial increase in manufacturing
costs and an increase in the surface of the circuit.
PRESENTATION OF INVENTION
10 The invention proposes a hardening technique by partitioning
optimising the number of arbiters inserted to ensure a level of reliability
determined for the circuit without as such engendering an excessive
increase in manufacturing costs or excessively increasing the surface of
the circuit.
15
This aim is attained by a logical hardening method by partitioning of
an electronic circuit comprising an odd number K of branches in parallel
connected to the same primary input I and each comprising the same
series of N modules and N–1 nodes joining two consecutive modules, the
20 K branches together forming a succession of N–1 gates constituted
respectively by K nodes in parallel, and a primary arbiter forming a
majority vote from the output signals of the K branches, the method being
characterized in that it comprises the following steps repeated for each of
the gates taken successively from the gate closest to the primary input:
25 – Determination of reliability of a sub–circuit upstream of the gate
constituted by the portions of the K branches comprises between
the primary input and the gate, and
– Insertion of at least one arbiter at the gate forming a majority vote
from the output signals of said portions of branches constituting
30 the scanned sub–circuit, and delivering at least one majority
signal to the respective inputs of a complementary sub–circuit
constituted by the portions of branches downstream from the
gate, if the reliability of the scanned sub–circuit is less than a
reliability set point.
4
An advantage of the present invention is the reduction in
manufacturing costs. Another advantage of the present invention is that it
can easily be automated.
Advantageously, the insertion step of at least one arbiter comprises
insertion of an arbiter delivering a single majority signal to the respectiv5 e
inputs of the complementary sub–circuit. As a variant, the insertion step of
at least one arbiter comprises the insertion of K arbiters in parallel each
delivering a majority signal to one of the respective inputs of the
complementary sub–circuit.
10 In addition, the invention relates to a computer program product
comprising code instructions for execution of the hardening method
described previously, when this program product is executed by data–
processing means.
15 DESCRIPTION OF FIGURES
Figure 1 illustrates a circuit comprising a module protected by triple
modular redundancy.
Figure 2 illustrates a circuit comprising a series of four modules,
protected by triple modular redundancy.
20 Figure 3 illustrates an example of a circuit resulting from hardening
by partitioning applied to the circuit of figure 2.
Figures 4A, 4B and 4C show the evolution of the reliability of a
circuit as a function of the number of gates it contains.
Figure 5 is a diagram of steps of the hardening method by
25 partitioning according to the invention.
Figures 6A and 6B show two embodiments of arbiters inserted
during the method according to the invention.
DETAILED DESCRIPTION OF INVENTION
30 An initial circuit prior to logical hardening by partitioning will first be
described in detail.
The circuit comprises an odd number K of main branches in parallel
connected to the same primary input I, as per the known technique of
modular order redundancy K.
5
The K branches each comprise the same series of N modules Mi, iε
[[1, N]], M1 being the module closest to the primary input I of the circuit and
MN the module the farthest away from the latter.
The series of N modules produces the overall logical function of the
circuit. Each of the modules of this series is a sub–circuit itself ensuring 5 a
logical sub–function and comprises an input and an output. A module can
therefore be complex or can ensure a logical elementary function, such as
for example an inverter.
Each branch also comprises N–1 nodes ensuring the connection
10 between two consecutive modules. By way of convention, gate pi of level i
will be called all the parallel K nodes of the circuit making each connection
between a module Mi and its successor Mi+1 in a specific branch. The
circuit therefore comprises N–1 gates pi,iε [[1,N–1]].
A primary arbiter VN is placed at the output of the K branches, more
15 precisely at the output of the last K modules MN of each branch. In this
way, this arbiter VN forms a majority vote from the output signals of the K
branches and delivers a majority signal to at least one primary output O.
Figure 2 is an example of a circuit according to the previous
description where the number of branches K is 3 and the number N of
20 modules is 4: in this circuit, the arbiter V4 is placed at the output of 3
branches each comprising a series of four modules M1, M2, M3 and M4 and
three gates p1, p2 and p3 interposed between two consecutive modules;
each of these gates comprises three nodes located on a separate branch.
Figure 3 illustrates the circuit of figure 2 after an example of
25 partitioning according to the invention. Arbiters have been inserted into
this circuit at gates p1 and p2, but not at gate p3. In this way, the resulting
circuit comprises three partitions C1, C2 and C3.
A measuring unit representative of the reliability of a circuit is the
30 probability of a correct signal at its output. Throughout the present
document, the term “reliability” will therefore designate this measuring unit.
Several methods for measuring reliability known from of the prior art: for
example, the SPR method presented in the document “SPR Tool : Signal
Reliability Analysis of Logic Circuits” by Franco et al., or again the PTM
35 method exploiting transfer matrices.
6
Figure 4A shows the evolution of the reliability of a signal as a
function of the number of gates in a non–partitioned circuit. In general, it is
evident that the more gates a circuit has (in other terms, a large number of
modules) the lower the reliability of the signal at output of this circuit.
However, when an arbiter of majority vote is inserted at a gate, 5 the
reliability of the signal at this gate rises because of the majority vote
formed by the inserted arbiter. Figure 4B schematically illustrates the
reliability curve of the same circuit after insertion of an arbiter at the gate
p5.
10 In the same way, figure 4C schematically illustrates the curve of
reliability of the same circuit after insertion of arbiters at the gates p5, p9
and p12.
Because of these arbiters, the reliability of the circuit is kept greater
than a value Rmin.
15 The hardening method according to the invention will now be
described. Let Rmin be a minimal reliability set point to be respected for a
non–partitioned circuit. The aim here is to obtain a partitioned circuit
whereof the reliability of the signal measured at its primary output O is
greater than or equal to this set point Rmin.
20 In the method according to the invention, the gates of a circuit are
scanned successively from upstream to downstream, that is, from the gate
p1 closest to the primary input I to the gate pN–1 farthest from the latter.
This first takes therefore at the closest gate p1.
In reference to the diagram of figure 5, reliability R1 of the sub–
25 circuit between the primary input I and the gate p1 is determined in a first
step FIA constituted by K portions of parallel branches, each comprising
the same module M1.
The determined reliability R1 is then compared COMP to the
reliability set point Rmin:
30 – If R1 ≥ Rmin then the sub–circuit upstream of the gate pi
comprising K modules M1 is considered reliable (OK);
– If R1 < Rmin then the sub–circuit upstream of the gate pi
comprising K modules M1 (KO) is considered as being
35 insufficiently reliable and in this case insertion INS of at least one
7
arbiter V is done at the gate p1. The at least one inserted arbiter
V creates a majority vote of the output signals of the K modules
M1 and delivers a majority signal of reliability greater than R1 at
input of the K modules M2.
The steps illustrated in the diagram of figure 5 are repeated fo5 r
each of the N–1 gates of the circuit described previously.
In general in any gate pi, the sub–circuit upstream of the gate pi
comprises K portions of parallel branches each comprising a series of i
10 modules M1, …, Mi, and the complementary sub–circuit downstream from
the gate p1 comprises K portions of parallel branches each comprising a
series of N–i modules Mi+1, …, MN.
During step FIA the reliability Ri of the sub–circuit upstream of the
gate pi is determined.
15 The determined reliability R1 is then compared COMP to the
reliability set point Rmin:
– If Ri ≥ Rmin then the sub–circuit upstream of the gate pi is
considered reliable (OK);
The level i of the gate pi is then verified in a test DER.
20 – If i < N - 1, this takes place at the following downstream gate
pi+i.
– If i = N - 1, all the gates have been scanned and the method
terminates (FIN);
– If Ri < Rmin then the sub–circuit upstream of the gate pi is
25 considered insufficiently reliable (KO) and in this case insertion
INS of at least one arbiter V is performed at the gate pi. The at
least one inserted arbiter V forms a majority vote of the output
signals of the K portions of branches of the sub–circuit upstream
of the gate pi (whereof the last module is Mi) and delivers a
30 majority signal of reliability greater than Rmin at input of the K
portions of branches of the complementary downstream circuit
(whereof the first module is Mi+i).
Once all the gates are scanned, J arbiters have been inserted into J
35 gates of the circuit, where 0 ≤ J ≤ N - 1, in addition to the primary arbiter
8
VN. The resulting circuit comprises J+1 partitions (C1, …, Cj+1) each
comprising a sub–circuit constituted by K portions of the branches in
parallel and an arbiter V inserted at the output of said portions. In the
circuit illustrated in figure 3, two arbiters V have been inserted in addition
to the primary arbiter V4, with the resulting circuit comprising 5 three
partitions C1, C2, C3.
The method consequently introduces a number of minimal partitions
to the initial circuit to produce a resulting circuit having reliability of at least
Rmin.
10 It is known from the prior art that theoretical partitioning of a circuit
creating a gain in maximum reliability is partitioning whereof the partitions
all have equal reliability. But surprisingly, the method according to the
invention gives results very close to this optimum despite its simplicity.
15 The insertion step INS can form the object of several variants.
In a first embodiment illustrated by figure 6A, the insertion step
executed at the gate pi comprises insertion of a single arbiter delivering a
single majority signal to the respective inputs of the sub–circuit
downstream from the gate pi whereof the first module on each branch is
20 Mi+1.
The advantage of this embodiment is its economical character: at
any given gate a single arbiter component is in fact necessary and a single
majority vote is formed during operation of the circuit.
As a variant illustrated in figure 6B, the insertion step executed at
25 gate pi comprises insertion of K arbiters in parallel, each delivering a
majority signal to one of the respective inputs of the sub–circuit
downstream from the gate p, whereof the first module is Mi+1.
This variant further improves the reliability of the circuit as it
eliminates any malfunction of a minority of K arbiters, such as for example
30 the case K = 3 (triple modular redundancy). If one of the 3 arbiters V
placed at gate pi undergoes malfunction it generates an erroneous
majority signal which will be sent to only one of the K branches of the sub–
circuit downstream from the gate pi. The following arbiter, the primary
arbiter VN, if needed could eliminate this error in turn by forming a majority
35 vote.
9
It is evident that the circuit of particular topology on which the
hardening method presented in this document is applied can be a portion
of a circuit of free topology, this portion defining a signal path between a
primary input I and a primary output O.
In other words, the hardening method can be repeated on each 5 of
the i * j sub–circuits defining a signal path in a circuit comprising i primary
inputs and j primary outputs.

I/We Claim:
1. A logic hardening method by partitioning of an electronic circuit
comprising:
– an odd number K of branches in parallel connected to the 5 same
primary input (I) and each comprising the same series of N
modules (M1, …, MN) and N–1 nodes joining two consecutive
modules, the K branches together forming a succession of N–1
gates (pi, …, pN–1) constituted respectively by K nodes in parallel,
10 and
– a primary arbiter (VN) forming a majority vote from the output
signals of the K branches,
the method being characterized in that it comprises the following
steps repeated for each of the gates (p1, … , pi … , pN–1) taken
15 successively from the closest gate (p1) to the primary input (I):
– determination (FIA) of reliability Ri of a sub–circuit upstream of
the gate (pi) constituted by the portions of the K branches located
between the primary input and the gate (pi),
– insertion (INS) of at least one arbiter (Vi) at the gate (pi)
20 performing a majority vote from the output signals of said
portions of branches constituting the scanned sub–circuit, and
delivering at least one majority signal to the respective inputs of a
complementary sub–circuit constituted by the portions of
branches downstream from the gate (pi), if the reliability Ri of the
25 scanned sub–circuit is less than a reliability set point Rmin.
2. The hardening method according to claim 1, wherein the
insertion step of at least one arbiter comprises the insertion of an arbiter
delivering a single majority signal to the respective inputs of the
30 complementary sub–circuit.
3. The hardening method according to one of claims 1 to 2,
wherein the insertion step of at least one arbiter comprises insertion of K
arbiters in parallel each delivering a majority signal to one of the
35 respective inputs of the complementary sub–circuit.
11
4. A computer program product comprising code instructions for
execution of the method according to one of claims 1 to 3, when this
program product is executed by data–processing means.