Patent Application
20240326867
The technology of the disclosure relates generally to safety island architecture and more particularly, a System on Chip (SoC) having a safety island domain for controlling safe operation of a vehicle.
Autonomous driving hardware is required to support various safety levels of operation of a vehicle. Automotive Safety Integrity Level (ASIL) is a standard risk classification scheme defined by ISO 26262 which defines the various safety levels of operation of a vehicle. Currently, ASIL-A through ASIL-D levels are defined whereby ASIL-D specifies the highest integrity requirements necessary for a product to be compliant. In particular, ASIL-D requires that System on a Chip (SoC) implementations move a vehicle to a minimum safe operating mode on detection of any safety critical functional fault in the SoC. For example, a SoC must ensure safe operation of a vehicle (e.g., safe mode) by safe parking if a safety error occurs when the vehicle is currently utilizing adaptive cruise control or autonomous self-driving. In another example, if any safety error occurs when the vehicle is in parking mode, the SoC needs to switch off and restart. And in another example, if any safety error occurs in the SoC while the ignition is turned on, the vehicle should not start or restart.
Aspects disclosed in the detailed description include a processor-based system employing a safety island architecture for fail-safe operation. The processor-based system may be included in a system-on-a chip (SoC) that includes one or more processors and other processor related peripherals, including input/output (I/O) interfaces and memory.
In one aspect, the processor-based system includes a main domain for controlling a device, such as a vehicle. The main domain includes a first processor and other hardware circuits used to monitor vehicle sensors on the vehicle such as cameras, speed sensors, location sensors and the like as well as system sensors in the main domain including voltage sensors, temperature sensors, watch dog timers, aging sensors and the like. The other hardware circuits rapidly process the information from the vehicle sensors utilizing techniques such as computer vision to determine objects in the vehicle's periphery. The main domain communicates with vehicle modules including electromechanical modules to control operation of the vehicle. Such operation may include different autonomous driving use cases including autonomous cruise control, navigating the vehicle to certain destinations, autonomous parking and autonomous driving until summoned to avoid parking, and the like. Thus, it is important that these critical systems continue to operate in a fail-safe manner if the main domain were to incur a fault or failure.
As the amount of hardware circuitry increases in a SoC, the size of the SoC increases. In order to maintain a fixed SoC size while providing a fail-safe operation of a vehicle, the processing system includes safety island domain with less hardware than the main domain. In this regard, the safety island domain includes a processor for processing vehicle information and making similar calculations, such as determining the objects in the vehicle's periphery, as in the main domain. Since the safety island domain has less hardware than the main domain, those calculations are performed at a slower rate while maintaining a smaller area on the SoC. The safety island domain occasionally checkpoints its calculation with the calculations of the main domain. The safety island domain is configured to monitor errors originating in the main domain, the safety island domain, or both to determine the source of the error and perform an appropriate recovery mechanism. By monitoring errors generated by the main domain and the safety island, the safety island can advantageously recover from safety errors in either domain in the event of a fault or failure. For example, the safety island domain can reset itself when an error originates in the safety island domain.
In another exemplary aspect, when errors are received by the safety island domain in active mode, the safety island domain both electrically and logically isolates itself from the main domain and controls the operation of the vehicle during island mode. To minimize cost, SoC area, and save power, the safety island domain includes less hardware than the main domain and includes a processor which is configured to control the operation of the vehicle to the extent necessary to move the vehicle to a safe state as defined by ASIL-D requirements.
In another exemplary aspect, the safety island domain includes a processor and ensures a known boot process to advantageously avoid spurious signals at an interface between the main domain and the safety island domain by electrically and functionally isolating the safety island domain from the main domain during the boot process. Since during the boot process, the processor is booting, the safety island domain includes hardware to monitor and recover from errors generated from the safety island domain. The hardware advantageously provides a mechanism to reset the safety island domain during the boot process.
In this regard, in one aspect, a processor-based system for controlling operation of a vehicle is disclosed and comprises a main domain having a first processor. The first processor is configured to receive vehicle information from a vehicle network, process the vehicle information, and communicate over the vehicle network to instruct the vehicle how to operate. The processor-based system also includes a safety island domain comprising a second processor. The second processor is configured to receive the vehicle information from the vehicle network, process the vehicle information, checkpoint the vehicle information processed by the safety island domain with the vehicle information processed by the main domain, and monitor safety errors generated from the main domain and the safety island domain.
In another aspect, a method for controlling operation of a vehicle is disclosed. The method includes receiving, by a main domain, vehicle information from a vehicle network. The method also includes processing, by the main domain, the vehicle information. The method also includes communicating, by the main domain, over the vehicle network to instruct the vehicle how to operate. The method also includes receiving and processing, by a safety island domain, the vehicle information from the vehicle network. The method also includes checkpointing the vehicle information processed by the safety island domain with the vehicle information processed by the main domain. The method also includes monitoring safety errors, by the safety island domain, generated from the main domain and the safety island domain.
In another aspect, a processor-based system for controlling operation of a vehicle is disclosed. The processor-based system comprises a means for receiving, by a main domain, vehicle information from a vehicle network; a means for processing, by the main domain, the vehicle information; and a first means for communicating, by the main domain, over the vehicle network to instruct the vehicle how to operate. The processor-based system also comprises a means for receiving, by a safety island domain, the vehicle information from the vehicle network; a means for processing, by the safety island domain, the vehicle information from the vehicle network; a means for checkpointing the vehicle information processed by the safety island domain with the vehicle information processed by the main domain; and a means for monitoring safety errors, by the safety island domain, generated from the main domain and the safety island domain.
In another aspect, a non-transitory computer-readable storage medium is disclosed comprising instructions executable by a processor, which, when executed by the processor, causes the processor to control operation of a vehicle. The non-transitory computer-readable storage medium comprises receiving, by a main domain, vehicle information from a vehicle network, processing, by the main domain, the vehicle information, and communicating, by the main domain, over the vehicle network to instruct the vehicle how to operate. The non-transitory computer-readable storage medium further comprises receiving, by a safety island domain, the vehicle information from the vehicle network, processing, by the safety island domain, the vehicle information from the vehicle network, checkpointing the vehicle information processed by the safety island domain with the vehicle information processed by the main domain, and monitoring safety errors, by the safety island domain, generated from the main domain and the safety island domain.
With reference now to the drawing figures, several exemplary aspects of the present disclosure are described. The word “exemplary” is used herein to mean “serving as an example, instance, or illustration.” Any aspect described herein as “exemplary” is not necessarily to be construed as preferred or advantageous over other aspects.
Aspects disclosed in the detailed description include a processor-based system employing a safety island architecture for fail-safe operation. The processor-based system may be included in a system-on-a chip (SoC) that includes one or more processors and other processor related peripherals, including input/output (I/O) interfaces and memory.
In one aspect, the processor-based system includes a main domain for controlling a device, such as a vehicle. The main domain includes a first processor and other hardware circuits (e.g. graphics processing unit(s) (GPU), digital signal processor(s), artificial intelligence unit(s) (AI), multi-media unit(s) (MM)) used to monitor vehicle sensors on the vehicle such as cameras, speed sensors, location sensors and the like as well as domain sensors in the main domain including voltage sensors, temperature sensors, watch dog timers, aging sensors and the like. For example, the main domain utilizes GPU, DSP. AI, and MM units to achieve computer vision for recognizing the position and orientation of the vehicle and objects in the vehicle's periphery. The main domain communicates with vehicle modules including electromechanical modules to control operation of the vehicle. Such operation may include different autonomous driving use cases including autonomous cruise control, navigating the vehicle to certain destinations, autonomous parking and autonomous driving until summoned to avoid parking, and the like. Thus, it is important that these critical systems continue to operate in a fail-safe manner if the main domain were to incur a fault or failure. As such, the processing system includes safety island domain that includes a processor to make similar calculation as the main domain for recognizing the position of the vehicle and objects in the vehicle's periphery. But since the safety island domain does not have a GPU, DSP. MM, AI, the safety island domain calculates the same position and orientation of the vehicle and objects in the vehicle's periphery at a slower rate while consuming less area on the SoC than the main domain.
The safety island domain is configured to monitor errors originating in the main domain, the safety island domain, or both to determine the source of the error and an appropriate recovery mechanism. The safety island is also configured to communicate with the same external sensors and vehicle modules as the main domain. The main domain controls the operation of the vehicle during active mode while the safety island mode monitors errors that can be generated by both the main domain and the safety island domain. Active mode may be entered upon various actions including, but not limited to, engine startup, acceleration sensing, gear change, or entering a parking situation such as stopping after cruising, and sensing a parking environment such as a parking garage. In contrast, low power mode may be entered upon various states including, but not limited to, the vehicle stops running, ignition is turned off, and the car is parked. By monitoring errors generated by the main domain and the safety island domain, the safety island domain can advantageously recover from errors in either domain in the event of a fault or failure. For example, the safety island domain can reset itself when an error originates in the safety island domain.
In this regard,
I/O interface 126 also communicates with I/O devices 132 such as cameras and any other vehicle sensors external to SoC 102. Networking circuit 120 communicates over the vehicle network 134 to receive information from vehicle modules 136 and to instruct vehicle modules 136 which in turn control a vehicle's steering, throttling, and braking. Vehicle modules 136 may be electrical or electromechanical devices. Networking circuit 120 includes various communication interfaces including control area network flexible data-rate (CAN FD) interfaces for communicating data and control information. Memory controllers 124 communicate with dynamic random access memory (DRAM) 137. DRAM 137 includes data and programmable instructions to be generated and consumed by CPUs 108, GPUs 110, DSPs 112, MM engine 118 and AI engine 116. CPUs 108, GPUs 110, DSPs 112, MM engine 118 and AI engine 116 may include their own local memory system.
CPUs 108, GPUs 110, DSPs 112, and MM engine 118 are utilized to perform simultaneous tasks like camera vision, vehicle control, and information display. The AI engine 116 at least enables complex tasks in advanced driver-assistance systems (ADAS). GPUs 110, DSPs 1112, and MM engine 118 cooperate to determine the position and orientation of the vehicle and any objects in the vehicle's periphery.
Safety island domain 106 consumes less area than main domain 104 and includes a single CPU 138 to make similar computations as the main domain 104 but since it has less hardware than main domain 104, the computations made by CPU 138 is slower than the rate of computations made in the main domain 104. Safety island domain 106 also receives and processes information over vehicle network 134 and I/O devices 132 and DRAM 137 and instruct vehicle modules 136 to safely operate the vehicle in response to a safety error 140.
CPU 138 is coupled to bus fabric 144. The safety island domain 106 also includes memory controller 146 which is connected to bus fabric 144 and DRAM 137. I/O interface 148 which is connected to bus fabric 144 and I/O devices 132, networking circuit 150 which is connected to bus fabric 144 and communicates over vehicle network 134, and a main domain interface 152 coupled to the main domain and the bus fabric 144.
Safety island domain 106 is powered by SAIL PMIC 154 and retrieves data and instructions from flash memory 156 to boot CPUs. Safety island domain 106 also includes a state detector circuit 158 which monitors errors generated by the main domain 104, safety island domain 106 or both. State detector circuit 158 monitors and classifies safety errors and, depending on the error class type, recovers from a respective safety error 140. Details of state detector circuit 158 will be discussed in more detail in connection with
Safety errors 140 generated in main domain 104 may originate from sensors 114, I/O devices 132, main domain PMIC 130 or any of the components connected to bus fabric 128. Safety errors 140 generated in the main domain may be transmitted through safety island domain interface 122 and switch 164. State detector circuit 158 monitors safety errors generated in the main domain 104 through main domain interface 152 while switch 164 is connected. State detector circuit 158 also monitors and classifies safety errors originating in the safety island domain 106. Similarly, safety errors generated in the safety island domain 106 may originate from sensors 162, I/O devices 132, MD PMIC 130, SAIL PMIC 154 or any of the components connected to bus fabric 144. Sensors 162 include various sensors including, but not limited to, voltage sensors, amperage sensors, aging sensors, and temperature sensors.
A low power mode signal 141 may be generated by CPU 108 in main domain 104, MD PMIC 130, SAIL PMIC 154, or CPU 138 in the safety island domain 106. A low power mode signal 141 informs state detector circuit 158 to continue monitoring safety errors originating from both the main domain 104 and the safety island domain 106.
CPU 138 in the safety island domain 106 is configured to perform tasks similar to the main domain to control vehicle modules 136 in the vehicle but whose functionality is configured to the extent necessary to operate the vehicle to safety in case of a safety error 140 in the main domain at a slower speed than the main domain 104. For example, the safety island domain 106 will control the vehicle to safely park if a safety error 140 is detected by state detector circuit 158 when the vehicle is operating in adaptive cruise control, autonomous self driving or in manual driving modes. In another example, the safety island domain 106 is configured to not allow the vehicle to start or restart if a safety error 140 is detected by state detector circuit 158 in SoC 102 while the vehicle's ignition is turned on. In another example, the safety island domain 106 is configured to control the vehicle to switch-off and restart if any safety error 140 is detected by state detector circuit 158 when the vehicle is in parking mode. By contain less hardware circuitry than the main domain, the safety island domain 106 consumes less area of SoC 102 than main domain 104 and is still able to control the vehicle to safety.
When the main domain 104 is in active mode, the main domain 104 receives vehicle information 160 from vehicle network 134. See block 202 in
Also, during active mode, the main domain 104, at points in time, sends processed vehicle information such as objects in the vehicle's periphery to the safety island domain 106 through safety island domain interface 122. At these points in time, the safety island domain 106 checks to see if it is processing the vehicle information similarly as main domain 104 but with different hardware than the main domain 104. The safety island domain 106 receives the processed vehicle information through main domain interface 152 and compares it with its processed vehicle information such as the objects in the vehicle's periphery at the same time reference point. These occasional checkpoints allow the safety island domain 106 to ensure that it is in position to take over operation of the vehicle in case a safety error is generated that requires the safety island domain 106 to take control. The discussion in connection with
State detector circuit 158 also monitors safety errors 140 through main domain interface 152 over bus fabric 144, safety errors generated by sensors 162 in the safety island domain 106 and safety errors generated from I/O devices 132 through I/O interface 148, and safety errors generated by DRAM 137 through memory controller 146. See block 214 in
In response to receiving a safety error 140 by state detector circuit 158, state detector circuit 158 will enter island mode. Island mode is entered by the safety island domain 106 electrically and functionally isolating itself from main domain 104. State detector circuit 158 disconnects switch 164 to electrically isolate the safety island domain 106 from the main domain 104. Additionally, state detector circuit 158 also functionally isolates safety island domain 106 from main domain 104 by causing safety island domain 106 to signal arbiter 166 to stop allowing instructions to flow from main domain 104 to vehicle network 134 and to allow instructions to flow from safety island domain 106 to vehicle network 134. State detector circuit 158 aggregates many different safety errors 140 so that a single enable isolation signal is generated by state detector circuit 158 to simultaneously electrically and functionally isolate safety island domain 106 from main domain 104. In this way, time delay caused by sequentially isolating main domain 104 from the safety island domain 106 can be avoided. State detector circuit 158 classifies a received safety error 140 and, depending on the classification, determines a recovery for the respective safety error. Classification types and recoveries are discussed further in connection with
When SoC 102 is initially powered on, also known as cold boot, processor-based system 100 employing a safety island architecture for fail-safe operation provides the processor-based system to be booted in a known state. When a system reset signal is received by state detector circuit 158 from SAIL PMIC 154, state detector circuit 158 electrically isolates from main domain by opening switch 164 and awaits a boot complete signal from MD PMIC 130 to remove isolation from main domain 104. Switch 164 provides a path for monitoring safety errors 140 as well as accomplishing data processing activities between main domain 104 and safety island domain 106. For example, main domain 104 may transmit processed data to safety island domain 106 which, in turn, the safety island domain 106 communicates to the vehicle modules 136.
During cold boot, instructions from flash memory 156 are loaded in CPU 138 to initiate the boot sequence of CPU 138. During cold boot, state detector circuit 158 monitors safety errors 140 from sensors 162 so it can re-boot itself if needed. When a boot complete signal 142 is received by state detector circuit 158 from main domain PMIC 130, state detector circuit 158 closes switch 164 in order to begin monitoring safety errors 140 originating from the main domain 104. Being able to electrically isolate the main domain from the safety island domain 106 advantageously ensures that both the main domain 104 and safety island domain 106 are booted to a known state.
When the vehicle is parked and the ignition is off, both the main domain 104 and the safety island domain 106 operate in a low power state. In the low power state, vehicle modules 136 transmit less information than when the vehicle is in active state. As such, processing by the main domain 104 and the safety island domain 106 is reduced such that minimal instructions are being processed over a period of time to save power. State detector circuit 158 continues to monitor safety errors 140 originating in main domain 104, safety island domain 106, DRAM 137, and I/O devices 132.
State detector circuit 158 also includes a reset trigger generation circuit 316, and an isolation enable generation circuit 318. Error detection circuit 300 detects and classifies safety errors 302 or, in other words, aggregates all safety errors in the same class. Depending on the classification of a safety error 302, error detection circuit 300 signals the reset trigger generation circuit 316 over path 320 to either reset the main domain 104, reset the safety island domain 106, reset both the main domain 104 and the safety island domain 106, or takes corrective action without signaling the reset trigger generation circuit 316. Reset trigger generation circuit 316 may send a reset signal 322 to main domain PMIC 130 and may send a reset signal 322 to SAIL PMIC 154. Depending on the classification of a safety error 302, error detection circuit 300 may signal isolation enable generation circuit 318 over path 326 to enable or disable electrical and functional isolation of main domain 104. If the classification of a safety error 302 requires safety action to be performed by safety island domain 106 on a vehicle, error detection circuit 300 issues an interrupt to CPU 138. CPU 138 is configured to have preconfigured interrupt handlers 328 to execute instructions on CPU 138 to communicate with other circuits and engines coupled to bus fabric 144 to safely operate the vehicle depending on the specific interrupt generated by error detection circuit 300.
CPU 138 also includes interrupt handlers 330 which receive interrupts generated by a subset of glitch filter circuits 312(1)-312(N). The subset of glitch filter circuits 312(1)-312(N) which trigger interrupt handlers 330 correspond to non-latency critical and recoverable safety errors. With this subset of glitch filter circuits 312(1)-312(N), interrupt handlers 330, not error detection circuit 300, classify the safety errors. Depending on the classification of these safety errors 302, the CPU 138 may signal isolation enable generation circuit 318 over path 332 to enable or disable electrical and functional isolation of main domain 104 and communicate with other circuits and engines coupled to bus fabric 144 to safely operate the vehicle such as performing the necessary ASIL-D safety operations on the vehicle.
Isolation enable generation circuit 318 generates a single enable/disable isolation signal 334 to simultaneously disconnect/connect switch 164 and signal arbiter 166 to allow/disallow instructions over vehicle network 134 from the safety island domain. By default, isolation enable generation circuit 318 generates an enable isolation signal so that safety island domain 106 can boot independently from main domain 104. Once the main domain 104 is properly booted, a boot complete signal 336 is received by isolation enable generation circuit 318 which, in turn, generates a disable isolation signal 334.
State detector circuit 158 also includes a safety island (SAIL) power manager circuit 338. SAIL power manager circuit 338 may put the safety island domain in low power mode to save power. While in low power mode, SAIL power manager circuit 338 continues to monitor the health of the MD PMIC 130 and SAIL PMIC 154 through external general purpose input/output (GPIO) interrupts 340. In case of monitoring MD PMIC 130 and SAIL PMIC 154, SAIL power manager circuit 338 may signal isolation enable generation circuit 318 over path 342 to enable or disable main domain 104 isolation.
At block 412, safety island domain 106 receives a safety error. As discussed in connection with
If the fault class is a fatal fault in the safety island domain 106, the safety island domain 106 proceeds to block 426 and resets the entire SoC 102 by sending a reset signal 322 to main domain PMIC 130 and sending a reset signal 322 to SAIL PMIC 154. During the reset of the entire chip, safety island domain 106 proceeds to block 406 where it continues to monitor safety errors originating in the safety island domain during the SoC reset.
As described in connection with
Electronic devices that include an exemplary processor-based system deployed as a SoC having a main domain and a safety island domain for fail-safe operation of a vehicle as described in
In this regard,
Other master and slave devices can be connected to the system bus 614. As illustrated in
The PU 610 may also be configured to access the display controller(s) 628 over the system bus 614 to control information sent to one or more displays 632. The display controller(s) 628 sends information to the display(s) 632 to be displayed via one or more video processor(s) 634, which process the information to be displayed into a format suitable for the display(s) 632. The display controller(s) 628 and video processor(s) 634 can be included as ICs in the same or different electronic devices, and in the same or different electronic devices containing the processors 608, as an example. The display(s) 632 can include any type of display, including, but not limited to, a cathode ray tube (CRT), a liquid crystal display (LCD), a plasma display, a light emitting diode (LED) display, etc.
Those of skill in the art will further appreciate that the various illustrative logical blocks, modules, circuits, and algorithms described in connection with the aspects disclosed herein may be implemented as electronic hardware, instructions stored in memory or in another computer readable medium wherein any such instructions are executed by a processor or other processing device, or combinations of both. The devices and components described herein may be employed in any circuit, hardware component, integrated circuit (IC), or IC chip, as examples. Memory disclosed herein may be any type and size of memory and may be configured to store any type of information desired. To clearly illustrate this interchangeability, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. How such functionality is implemented depends upon the particular application, design choices, and/or design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present disclosure.
The various illustrative logical blocks, modules, and circuits described in connection with the aspects disclosed herein may be implemented or performed with a processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices (e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration).
The aspects disclosed herein may be embodied in hardware and in instructions that are stored in hardware, and may reside, for example, in Random Access Memory (RAM), flash memory, Read Only Memory (ROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), registers, a hard disk, a removable disk, a CD-ROM, or any other form of computer readable medium known in the art. An exemplary storage medium is coupled to the processor such that the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. The ASIC may reside in a remote station. In the alternative, the processor and the storage medium may reside as discrete components in a remote station, base station, or server.
It is also noted that the operational steps described in any of the exemplary aspects herein are described to provide examples and discussion. The operations described may be performed in numerous different sequences other than the illustrated sequences. Furthermore, operations described in a single operational step may actually be performed in a number of different steps. Additionally, one or more operational steps discussed in the exemplary aspects may be combined. It is to be understood that the operational steps illustrated in the flowchart diagrams may be subject to numerous different modifications as will be readily apparent to one of skill in the art. Those of skill in the art will also understand that information and signals may be represented using any of a variety of different technologies and techniques. For example, data, instructions, commands, information, signals, bits, symbols, and chips that may be referenced throughout the above description may be represented by voltages, currents, electromagnetic waves, magnetic fields or particles, optical fields or particles, or any combination thereof.
The previous description of the disclosure is provided to enable any person skilled in the art to make or use the disclosure. Various modifications to the disclosure will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other variations. Thus, the disclosure is not intended to be limited to the examples and designs described herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Implementation examples are described in the following numbered clauses:
