Hercules lockstep, dual core Cortex-R4F microcontroller
Dual core microcontrollers are readily available and a number of dual core configurations target specialized applications. Safety critical applications is one target area and security is another. The latter is typically addressed by two cores with on handling security issues such as CPU Technology's Acalis CPU872 secure, multicore microcontroller (see Dual PowerPC Micro Delivers Secure Processing Platform) and Applied Micro's APM86791 PacketPro microcontroller with its SLIMpro Trusted Management Module (see Secure Micro Protects Network Host).
On the other hand, safety applications normally operate both cores in lockstep mode comparing the results to make sure the redundant processing yields identical results. Texas Instruments' (TI) Hercules safety microcontroller platform (Fig. 1) utilizes dual ARM Cortex-R4F floating-point cores to target medical, industrial and transportation applications. This approach has been commonly used in avionics and automotive applications. In fact, Freescale and STMicroelectronics joined forces to deliver a dual-core Power processor for the automotive space (see Dual-Core, Dual-Source Processor Includes Flexray For Auto Apps).
TI's Hercules platform spans a number of product families starting with the high performance RM4x and mid range TMS570 line. The RM4x can be used for automomtive motor control but is also applicable to industrial and medical applications. It has 220 MHz ARM Cortex-R4F cores that supports standards like IEC 61508 SIL-3. ISO 13849 support is in progress.
The TM570 targets applications like automotive stability control and power steering. It addresses Automotive Q100 qualifications plus ISO 26262 ASIL-D and IEC 61508 SIL-3 safety standards. It also uses dual ARM Cortex-R4F cores running at speeds up to 180 MHz. It also handles the wider automotive temperature rang from -40 to 125°C.
The families support of to 3 Mbytes of flash memory and 256 Kbytes of RAM. Both have ECC (error correction code) support but the ECC logic is replicated in each processor core. This means all information is checked twice as it comes into or goes out of the core. TI also designed the system to avoid common cause failures. One core oriented 90 degrees and mirrored with respect to the other core. Both are electrically identical.
Peripherals provide some redundancy but are not replicated in the same fashion as the cores. For example there are multiple ADCs with multiple channels on each chip. Input channels are replicated to most ADCs and the outputs from multiple ADCs can be compared in software. The TMS570 supports FlexRay and comes with two FlexRay channels. The TMS570 also has a USB option. Both families support CAN and Ethernet.
Like most dual core, safety oriented systems, the Hercules cores automatically detect errors. TI designed the chip so the cores one core is oriented 90 degrees to the other and and its layout is a mirror of the other core. This helps avoid common cause failures. Express Logic's ThreadX. Applications and operating systems will need to be extended to take advantage of the hardware's error checking capability.