TMR Operation - 1.0 English

MicroBlaze Triple Modular Redundancy (TMR) Subsystem (PG268)

Document ID
PG268
Release Date
2022-04-28
Version
1.0 English

The basic voting functionality works without any control or maintenance, but the FS comparison needs to keep track of which MicroBlaze subsystem is considered faulty. This is handled by the TMR Manager IP core. A state machine is also needed to handle recovery of a faulty MicroBlaze sub-block to a healthy status when executing in FS mode.

Voting (FT-mode) – All three MicroBlaze sub-blocks are healthy.

Lockstep (FS-mode) – Two MicroBlaze sub-blocks are healthy.

Fatal (Stop) – The subsystem has detected an unrecoverable error and is stopped.

This Figure illustrates the three states of the TMR MicroBlaze subsystem.

pg268-product-spec00015.jpg

Figure 2-5: Fault Tolerance State Transition Diagram

X-Ref Target - Figure 2-5

pg268-product-spec00017.jpg

The TMR Manager is also triplicated with one instance in each MicroBlaze subsystem. The TMR Manager implements a voting scheme for all its internal registers and all outputs.