NXP S32S Drives Autos in Lockstep

July 17, 2018

Author: Tom R. Halfhill

Failure is not an option when a motor vehicle must stop. To ensure that a human driver or autonomous system always maintains control, the vehicle’s processors must respond under any conditions, including faults that would cripple a conventional chip. So NXP has announced a fault-tolerant automotive processor that runs four pairs of CPUs in lockstep mode. It designed the S32S247 for “any system that starts, stops, or steers the vehicle.”

As the first member of the S32S family, the new chip is also the first announced product to use Cortex-R52, a synthesizable CPU that Arm designed specifically for critical control. This 32-bit core supersedes the eight-year-old Cortex-R5 and is the first implementation of the Arm v8-R instruction-set architecture (ISA) announced in 2013. To host hypervisors, the R52 adds another privilege level and a second memory-protection unit (MPU). To isolate critical tasks, it can simultaneously run multiple real-time operating systems in virtual sandboxes, and it speeds up context switching and interrupt handling.

Scheduled to sample in 4Q18 and start production in 2020, the octa-core S32S247 appears to the system as a quad-core processor. It arranges its eight CPUs in pairs. Each CPU can run its own RTOS and copy of the same control software in a sandboxed partition. The first pair is the “safety core,” which handles errors in addition to its usual functions. Each CPU pair continuously operates in lockstep mode, with the “shadow” core following two clock cycles behind the main core. A redundancy control and checker unit (RCCU) compares their outputs. If the RCCU detects a discrepancy, it notifies the safety core, which takes corrective action.

By announcing the chip now, NXP hopes to lock in some long-term customers and shut the opportunity window on rivals. The S32S247 surely isn’t the only Cortex-R52 automotive chip in the works, but it wins the pole position.

