14.3. Logic protection

The processor logic can be protected by a duplicate, redundant, processor, that is the exact copy of the first processor. Both processors share the same RAMs protected with ECC and the same input pins. The second processor is delayed by two clock cycles so that this redundant system can detect glitches in the inputs.

The outputs of the two processors are compared on each cycle to detect any error. The outputs of the first processor are delayed so they can be synchronized with the second processor. This mechanism relies on the fact that any error occurring in the processor is eventually visible on the outputs of the processor, or is inherently a safe failure.

On detection of an error in one processor, both processors are reset before executing a code sequence, to put them in the same initial state. They can then restart execution from a previously taken snapshot.

The processor provides a template of the logic required for the comparison of the two processors.

Copyright © 2014-2016, 2018 Arm. All rights reserved.ARM DDI 0489F