UltraSoC’s flexible IP supports all common lockstep/redundancy architectures, including full dual-redundant lockstep, split/lock, master/checker, and voting with any number of cores or subsystems.
The Lockstep Monitor can support any processor architecture or other subsystem, including custom logic or accelerators. Lockstep operation is needed for safety standards such as ISO26262 for automotive, IEC 61508, EN50126/8/9 and CE 402/2013.
The Monitor consists of a set of configurable semiconductor IP (SIP) blocks that are protocol aware and can be used to cross-check outputs, bus transactions, code execution and even register states, between two or more redundant systems. It can be used with any processor architecture, including those – such as the emerging RISC-V architecture – which lack native support for lockstep configurations. In addition to traditional processor cores, it can also check other subsystems or accelerators. Because it is implemented in hardware, it responds at wire speed and imposes no execution overhead on the host system.
Unlike more traditional approaches, the Lockstep Monitor includes flexible, run-time configurable embedded intelligence, allowing the SoC designer to tailor the monitoring and response system precisely to the application.
Monitoring can be implemented at a variety of levels of granularity: at the subsystem level (comparing the outputs of the two processors); at the transaction level (for example comparing bus traffic); at the instruction level, using UltraSoC’s advanced instruction trace capability; and at the most fundamental hardware-level, checking processor internal states or register contents.
By embedding intelligence in the system, UltraSoC also allows more sophisticated comparisons between the operation of the lockstep processors than can be achieved with traditional solutions.
RISC-V is gaining increasing traction in safety-critical applications, particularly in the automotive industry. However, the RISC-V ecosystem lacks support for the functional safety and security principles – such as lockstep operation – mandated by global standards such as ISO26262 for functional safety, J3061 for cybersecurity, IEC 61508, EN50126/8/9 and CE 402/2013.
UltraSoC’s Lockstep Monitor allows any RISC-V system, whether using open source or commercial cores, to incorporate sophisticated safety capabilities.
Lockstep systems employ two or more processor subsystems running the same code in a redundant backup configuration. The cores may be clock-cycle synchronised, or offset by a small number of cycles, an arrangement that protects against transient errors in the surrounding system.The outputs, code execution or bus traffic from the subsystems are compared and if the results differ, an error can be signalled. Lockstep systems with two processors are typically configured in a ‘master/checker’ arrangement; those with more than two processors may use ‘voting’ or other redundancy schemes.
More sophisticated “split/lock” processor arrangements may allow the lockstep function to be dynamically engaged and disengaged, allowing the cores to run in redundant mode or to run different code for higher performance.
