Field of the Invention
The invention relates to safety critical apparatuses, random access memory testing, and a circuit for random access memory testing in a safety critical system.
Description of the Related Art
In safety critical systems the correct and failure free operation of all system components is essential. Examples of such safety critical system include aircraft flight control systems, heart pacemakers and elevator safety systems. Elevator safety system control safety aspect of elevators such as elevator operation in various fault situations. It must be necessary to be able to apply elevator brakes, to receive and to transmit distress signals, check for overload, check for the going off of fire alarms and ensure the opening of the doors whenever the opening is safe for passengers. The elevator safety system may be separate from other non-critical systems such as entertainment, commercials, infotainment or elevator driving functions, for example, the serving of elevator cage calls from floors. The safety systems and call servicing systems in elevators may run on physically separate hardware platforms. The elevator safety systems gather typically a lot of sensor information relating to elevator load, movement, signals from users, signals from safety contacts, such as shaft door safety contacts, and the status of various other system components. This implies that elevator safety systems must have a limited response time for signals received and transmitted between a central processing unit, sensors, safety contacts, control relays and control circuits, which may be further connected to elevator drive motor and door controller circuits.
Safety critical systems are tested and functionally verified extensively. The correct operation of a safety critical system must be verified component by component. Examples of such components are central processing units, memories, message busses and various peripherals connected to the message bus. There are certain security standards that govern the safety critical systems in elevators. Examples of such include Programmable Electronic System in Safety Related Applications (PESSRAL). The International Standards Organization (ISO) standard 22201:2009 is applicable to passenger lifts, goods/passenger lifts used in residential buildings, offices, hospitals, hotels, industrial plants, etc. ISO 22201:2009 covers those aspects that it is necessary to address when programmable electronic systems are used to carry out electric safety functions for lifts (PESSRAL).
An important aspect in safety critical elevator systems is the correct functioning of memory. Memory cells may be stuck to a certain value, they may not transition to an another value, or the address decoder than selects memory cells rows or columns for access based on address lines driven may be faulty entirely or just for certain address ranges. Memory cells may also leak to neighboring memory cells. Memory faults may cause subtle erroneous behavior to once well-working applications of the safety critical system or they may cause total system freezing.
In standard personal computers Random Access Memory (RAM) is often tested at computer power on or reboot. However, this may not be sufficient for safety critical elevator systems. Firstly, safety critical elevator systems remain powered on for extended periods of time and are not rebooted or powered on or off frequently. Secondly, the memory must in any case also be tested while the safety critical system is operational. Therefore, there arises the need to test the memory of the safety critical system while the safety critical system software is executing. It may not be possible to suspend the execution of the system software by the system processor in order to perform a complete memory test. A piecemeal approach for testing the memory in portions by the system processor also involves many problems. While the memory is being tested by the processor it must be ensured that the memory testing does not accidentally cause writes to the memory area being tested. This requires considerable care of the programmer to avoid using machine code instructions that write to the RAM. It may also be necessary to check the machine code generated by a high-level programming language compiler. When the processor is used for memory testing software and hardware interrupts must be disabled, which causes disturbance. The interrupts may not be processed fast enough which introduces latency to the safety critical system. The memory testing by the processor turns of normal process or thread scheduling, which may cause nondeterministic behavior for the safety critical system. For example, the system might react too slowly for critical signals, monitor critical sensors too slowly, or perform critical computations too slowly or too late. Peripherals communicating with the processor in the safety critical system must always have a certain speed of operation available. Generally, it is very risky to intrude the functioning of the processor by way of the RAM tests run by the processor.
The use of the processor for RAM testing also involves a further problem. Always when the safety critical system involving the memory testing program code is changed, the whole safety critical system must be tested and its functioning must be verified with an extensive gamut of tests. The burden to make changes becomes very high for the programmer. The safety critical system must also be re-tested if the software development tools are changed, for example, when a new compiler version is introduced.
Therefore, it would be beneficial to be able to implement the memory testing as a separate entity the correct functioning of which could be verified separately.