In high-integrity systems, a method of assuring integrity called a self-checking pair is employed. A self-checking pair is a logical grouping of two of the same devices performing the same operation and cross-checking each other to ensure correct operation. In this manner, a single fault on one will be detected by its partner, and the appropriate action can be taken to both recover the fault and ensure the fault does not propagate.

A high-integrity processor is implemented as a self-checking pair with redundant PCI master controllers. However, within each PCI master controller of each half of the self-checking pair, additional features are added beyond those to meet the PCI specification. One is a bus transaction monitor to ensure that a lower-integrity target completes any bus cycle it accepts within a specified time so that processor execution time is not monopolized by a target that fails to complete a bus transaction. Another is a partition time slice execution monitor that ensures a software partition does not initiate or have active bus cycles at the end of its allowed execution window that could affect a follow-on software partition’s ability to complete its function without waiting for the first partition’s bus cycles to complete.

The clock of a digital ASIC (application-specific integrated circuit) should be between 40 and 60% pulse width high to ensure proper clocking of flip flops used in synchronous logic. Often the clock is outside these limits due to mismatch in CMOS (complementary metal oxide semiconductor) circuits. In this work, the clock is sent through a current-starved CMOS buffer path. The output of this stage is filtered by a low-pass filter to produce a DC voltage ratiometrically proportional to the duty cycle of the clock. This voltage is compared to a reference signal that represents the desired duty cycle. An analog amplifier compares the two DC signals, adjusting the currents in the current-starved CMOS buffers until the desired duty cycle is achieved.

The time delay through each CMOS buffer used in delay lines is strongly dependent upon the variation of the process, voltage supply, and temperature (PVT). This reduces the accuracy of the delay line for shifting the clock or data signal in time. A circuit used in this work allows the clock to be PVT compensated.

The most tightly coupled and detailed configuration of this system is strict cycle-for-cycle lockstep in which each device is operating off the same clock and performing the same action on each of those clocks. In this way, all results, outputs, and operations can be checked on each clock cycle. The difficulty arises in the synchronization of the primary clock between the devices; generating and aligning the slower, but derivative, internal clocking resources between the devices; and generating, asserting, and negating internal resets between both the devices and the associated clock domains.

The proposed circuit utilizes agreement of only the parent clock, and generates derivative clocks without exchanging the derivative clocks between devices, utilizing only the parent-associated reset. Parent clocks are of known relation; resets are applied to both devices and can be negated without regard to alignment. Both devices will wait until the local device and its partner are out of reset by exchanging the parent resets synchronously. The local device can then use the exchanged reset to generate aligned derivative clocks.

Clock monitor (CM) logic serves as a window monitor using two independent clock sources to verify the frequency of the system clock. The monitor counts the number of system clocks generated by one clock source within a specified window generated by the other reference clock source, and issues a CM fault whenever an error condition is detected.

This work was done by Brett Douglas Oliver, Joseph Caltagirone, Christopher Brickner, Mike Bartels, Tom Pruitt, Xiaoxin Feng, Weston Roper, James Douglas Seefeldt, and Kevin Stover of Honeywell for Johnson Space Center. For further information, contact the JSC Technology Transfer Office at (281) 483-3809. MSC-24787-1/71-1/3-1/5-1/7-1