SafeDX: Standalone Modules Providing Diverse Redundancy for Safety-Critical Applications

RISC-V Instruction Set Architecture (ISA) is gaining significant popularity in Europe as the main driver for developing open source hardware. Commercial products and academic prototypes based on RISC-V become increasingly available, including cores, components and full systems-on-chip (SoCs). While those RISC-V IPs are suitable for many markets, those with safety requirements (e.g., automotive, space, avionics, health, railway) need specific support rarely available in RISC-V developments. Such support relates to observability and controllability features to ease verification, validation and the implementation of safety measures. Among those requirements, SoCs targeting the most stringent safety levels must provide some form of diverse redundancy to avoid the so-called Common Cause Failures (CCFs). This work presents and compares some technologies providing diverse redundancy for cores that lack appropriate native support (e.g., dual-core lockstep - DCLS). In particular, we introduce the SafeDX group of components, which include two components enforcing diverse redundancy across cores, either by hardware means (SafeDE) or software-only means (SafeSoftDR), as well as one component measuring the diversity across two cores executing redundant tasks (SafeDM). We show the different tradeoffs in terms of software constraints, hardware intrusiveness, and compatibility with existing SoCs that make each of the three SafeDX components best suited for alternative deployment scenarios.