Overview
Dual-core lockstep safety chips are widely used in safety systems for automotive and rail traction applications. This article summarizes the technical characteristics of dual-core lockstep safety chips.
ISO 26262 Requirements
In automotive functional safety development, ISO 26262-5:2018 includes an appendix that recommends safety measures for achieving high diagnostic coverage at the hardware level. Hardware redundancy techniques are listed as one of the approaches to achieve high diagnostic coverage; typical techniques include dual-core lockstep, asymmetric redundancy, and coded computation.
Technical Characteristics
The processor (CPU) is the core of the controller and contains registers, memory, decoders, ALUs, caches, buses, power management, clocking, stacks, and reset circuits. All components must operate within correct timing and operating constraints. CPUs can still fail due to EMC, radiation, clock drift, undervoltage, and other causes that may lead to erroneous control behavior.
A dual-core lockstep CPU is a hardware redundancy approach where a single chip contains two identical processors: a master and a slave. They execute the same code in strict synchronization. The master accesses system memory and drives instructions, while the slave continuously executes the instructions on the bus (the instructions fetched by the master). The slave's outputs, including address and data lines, are sent to comparison logic implemented by comparators at the bus interfaces of master and slave. This logic checks for consistency on data, address, and control lines. Any mismatch on bus values indicates a fault in one of the CPUs, but the mechanism does not identify which CPU has failed.
This CPU architecture enables self-testing independent from application software. No special self-test instruction set is required because the actual runtime instructions are compared every clock cycle, allowing testing of only the CPU resources used by the software. However, this architecture does not detect faults in memory or the bus itself, so additional detection mechanisms are needed to avoid common-cause failures that affect both CPUs.
In the Delphi Secured Microcontroller Architecture paper on lockstep MCUs, four advantages of this architecture are highlighted:
- Reduced component count and interconnections compared with two separate MCUs, which improves hardware reliability.
- Smaller board layouts and reduced complexity, improving board-level EMI performance and lowering radiated emissions.
- Improved fault diagnosis: faults are detected at their source and at first occurrence, reducing the risk of latent faults being missed.
- Improved software reliability: no need for inter-CPU communication and data synchronization, and reduced data comparison and decision logic, which lowers software verification complexity.
Representative Dual-Core Lockstep Chips
Major semiconductor vendors have developed dual-core lockstep architectures for safety-critical applications. Representative product families include:
TI Hercules series
The Hercules family from TI is a safety-critical CPU built on ARM Cortex cores and includes series such as RM4, TMS570, and TMS470. These devices use lockstep dual-core CPUs and can meet ISO 26262 ASIL-D and IEC 61508 SIL3 functional safety requirements. They also meet AEC-Q100 automotive grade requirements. Features such as dual-core lockstep CPU architecture, hardware BIST, MPU, ECC, and on-chip clock and voltage monitoring support automotive, rail, and aerospace safety-critical applications.
Infineon AURIX series
The AURIX family of multicore microcontrollers emphasizes real-time performance and embedded safety and security features. They are used in engine controllers, electric and hybrid vehicle ECUs, chassis domains, brake systems, EPS, airbag control, ADAS systems, and also in rail and industrial automation. The latest AURIX TC3xx generation integrates up to six TriCore embedded cores with each core reaching frequencies up to 300 MHz. They include gigabit Ethernet, signal processing units, and modern communication interfaces.
NXP S32 and MPC57xx series
NXP's S32 family is based on ARM Cortex architectures and includes:
- S32K MCUs for general automotive and industrial applications, providing high safety and security for ASIL B/D;
- S32G vehicle network processors for high-performance applications related to service-oriented gateways, domain controllers, and security coprocessors;
- S32S vehicle safety dynamics MCUs for safety functions in automated driving and electric vehicles, such as acceleration, braking, and steering support;
- S32R45 radar processors for high-performance, safe, and reliable long-range radar imaging.
The MPC57xx family is based on Power Architecture and includes devices such as MPC5777C, MPC577xK, MPC5777M, and MPC5744P, used for vehicle dynamics, ADAS, and advanced driving applications.
Development Trends
Current trends in automotive safety chips include:
- Increasing computational capability of lockstep chips, with maximum core frequencies rising from the historic 200-300 MHz range toward 1 GHz.
- Evolution from dual-core lockstep toward multi-core lockstep architectures, where multiple cores are implemented and grouped in pairs for lockstep operation.
- Support for gigabit Ethernet, CAN, FlexRay, and other high-speed in-vehicle networking interfaces.
- Concurrent support for functional safety (e.g., ASIL B/D) and security features, including hardware cryptography and programmable hardware security engines that support public/private key encryption to protect IP and resist malicious intrusion.
- Support for OTA firmware update capabilities.
NXP S32K MCU: Practical Considerations
Using a chip that implements lockstep alone does not automatically achieve a target safety integrity level. Chips are delivered with a set of safety usage requirements documented in a safety manual, which typically include:
- Operational and environmental constraints.
- Measures to mitigate systematic failures.
- Matching of system-level safety functions with chip safety features, safety states, and timing requirements; the chip will not implement specific system-level safety functions by itself.
- Correct configuration and implementation of chip-level diagnostic measures.
- Compatibility between the CPU chip and external components; chips are typically used together with power ICs, watchdog ICs, driver ICs, and other components to meet system safety requirements.
- Prevention of common-cause failures.
System designers must review these requirements and incorporate them into the overall system safety design.
Standards and Application
Dual-core lockstep chips are a representative semiconductor approach to chip-level functional safety and are widely applied. Functional safety practices now extend into semiconductor design to enable higher integration and improved performance for safety products. ISO 26262-11:2018 addresses the application of semiconductor technology in the automotive domain. Other standards such as IEC 61508 and EN 50129 contain corresponding clauses for semiconductor technology within their respective scopes.
