UltraSoC Launches "Any Processor" Lockstep Solution For Safety-Critical Systems
November 30, 2018
UltraSoC, the leader in embedded analytics for the safety and security of automotive systems, today launched the UltraSoC Lockstep Monitor.
UltraSoC, the leader in embedded analytics for the safety and security of automotive systems, today launched the UltraSoC Lockstep Monitor. A hardware-based, scalable solution, the new Lockstep Monitor significantly helps functional safety by checking that the cores at the heart of a critical system are operating reliably, safely and securely. UltraSoC’s flexible IP supports all common lockstep / redundancy architectures, including full dual-redundant lockstep, split/lock, master/checker, and voting with any number of cores or subsystems.
The UltraSoC Lockstep Monitor can support any processor architecture or other subsystem, including custom logic or accelerators. Lockstep operation is needed for safety standards such as ISO26262 for automotive, IEC 61508, EN50126/8/9 and CE 402/2013.
The new Lockstep Monitor consists of a set of configurable semiconductor IP (SIP) blocks that are protocol aware and can be used to cross-check outputs, bus transactions, code execution and even register states, between two or more redundant systems. It can be used with any processor architecture, including those – such as the emerging RISC-V architecture – which lack native support for lockstep configurations. In addition to traditional processor cores, it can also check other subsystems or accelerators. Because it is implemented in hardware, it responds at wire speed and imposes no execution overhead on the host system.
Unlike traditional approaches, the UltraSoC Lockstep Monitor includes flexible, run-time configurable embedded intelligence, allowing the SoC designer to tailor the monitoring and response system precisely to the application. Monitoring can be implemented at a variety of levels of granularity: at the subsystem level (comparing the outputs of the two processors); at the transaction level (for example comparing bus traffic); at the instruction level, using UltraSoC’s advanced instruction trace capability; and at the most fundamental hardware-level, checking processor internal states or register contents.
By embedding intelligence in the system, UltraSoC also allows more sophisticated comparisons between the operation of the lockstep processors than can be achieved with traditional solutions. For example, if the lockstep processors share a memory space, they cannot operate in perfect, cycle-by-cycle synchronization. UltraSoC’s on-chip analytics can be used to correlate activity within the redundant processors, and to tailor the response of the system depending on the nature of any detected anomalies.
RISC-V is gaining increasing traction in safety-critical applications, particularly in the automotive industry. However, the RISC-V ecosystem as a whole currently lacks support for the functional safety and security principles – such as lockstep operation – mandated by global standards such as ISO26262 for functional safety, J3061 for cybersecurity, IEC 61508, EN50126/8/9 and CE 402/2013. UltraSoC’s Lockstep Monitor allows any RISC-V system, whether using open source or commercial cores, to incorporate sophisticated safety capabilities. The company will be presenting on automotive safety and security – jointly with ResilTech, the specialists in resilient computing for critical systems –at the upcoming RISC-V Summit (Santa Clara, 3 – 6 Dec 2018).
Lockstep systems employ two or more processor subsystems running the same code in a redundant backup configuration. The cores may be clock-cycle synchronized, or offset by a small number of cycles, an arrangement that protects against transient errors in the surrounding system. The outputs, code execution or bus traffic from the subsystems are compared and if the results differ, an error can be signaled. Lockstep systems with two processors are typically configured in a ‘master/checker’ arrangement; those with more than two processors may use ‘voting’ or other redundancy schemes. More sophisticated “split/lock” processor arrangements may allow the lockstep function to be dynamically engaged and disengaged, allowing the cores to run in redundant mode or to run different code for higher performance.