JP2024530916A - Data transmission between domains of different security levels within a system-on-chip - Google Patents

Abstract

In various instances, a system includes a memory operating within a first risk level and a circuit operating within a second risk level indicating more risk than the first risk level, the circuit reading and/or writing data to a first memory address in the memory and reading and/or writing an error detection code to a second memory address in the memory.

Description

This application is based on Indian Provisional Application No. 202111034491 entitled "TRANSMITTING DATA BETWEEN REGIONS OF VARYING SAFETY INTEGRITY LEVELS IN A SYSTEM ON A CHIP" filed on July 30, 2021, and "TRANSMITTING DATA BETWEEN REGIONS OF VARYING SAFETY INTEGRITY LEVELS IN A SYSTEM ON A CHIP" filed on September 16, 2021. This application claims the benefit of U.S. patent application Ser. No. 17/477,360 entitled "CHIP," the entire contents of which are incorporated herein by reference.

At least one embodiment relates to accessing a memory in a second region of a circuit by a first region of a circuit. For example, at least one embodiment relates to a system-on-chip that implements various novel techniques described herein. As another example, at least one embodiment relates to an autonomous vehicle that includes such a system-on-chip.

Automotive Safety Integrity Level (ASIL) is a risk classification system for the functional safety of road vehicles defined by the International Organization for Standardization (ISO) 26262 functional safety standard. This risk classification system has four risk classification levels identified as ASIL-A, ASIL-B, ASIL-C, and ASIL-D, with ASIL-D being the highest risk classification level. Thus, components designated as ASIL-D have higher safety requirements and may be more expensive than components designated with a lower risk classification level (such as ASIL-B). In many automotive platforms, at least some safety services are performed by an external control unit upon detection of certain faults in the on-board system on a chip (SoC) that controls various driving functions of the autonomous or semi-autonomous vehicle. Typically, the external control unit may operate at a higher risk level (e.g., ASIL-D) than the on-board SoC (e.g., ASIL-B).

U.S. Patent Application Serial No. 16/101,232

“Taxonomy and Definitions for Terms Related to Driving Automation Systems for On-Road Motor Vehicles” (Standard No. J3016-201806, published on June 15, 2018, Standard No. J3016-201609, published on September 30, 2016, and previous and future versions of this standard)

Unfortunately, such external control units introduce latency and can be expensive because they require separate components, such as DRAM, non-volatile memory, etc., that are also present on the vehicle SoC and each take up space within the vehicle platform (e.g., on a circuit board).

The system and method for isolating regions of a system-on-chip are described in detail below with reference to the accompanying drawings.

FIG. 1 is a diagram of an example vehicle-mounted platform in accordance with some embodiments of the present disclosure. 1 is a diagram of an example of an interface connecting a safety island integrated into an automotive SoC to other components of the automotive SoC in accordance with some embodiments of the present disclosure. 1 is a flow diagram illustrating a method for transitioning a safety island between a cocoon mode and a non-isolated mode according to some embodiments of the present disclosure. FIG. 2 is a diagram of an example fault interface for communicating faults from other components of the vehicle SoC to the safety island, in accordance with some embodiments of the present disclosure. FIG. 1 is a flow diagram illustrating a method for communicating a fault to a safety island according to some embodiments of the present disclosure. FIG. 2 is a flow diagram illustrating a method a processor may use to handle an interrupt received from a SoC fault aggregator, according to some embodiments of the present disclosure. FIG. 11 is a flow diagram illustrating a method that the SI 110 may use to process corrected and uncorrected error signals, according to some embodiments of the present disclosure. 1 is a flow diagram illustrating a method that the SI 110 may use to process a SoC fault aggregator signal, according to some embodiments of the present disclosure. 1 illustrates an example signal timing diagram of signals transmitted and received by a safety island processor after a low severity uncorrected error (e.g., minimum) is asserted, in accordance with some embodiments of the present disclosure. 1 illustrates an example signal timing diagram of signals transmitted and received by a safety island processor after a high severity uncorrected error (e.g., maximum value) is asserted, in accordance with some embodiments of the present disclosure. 1 illustrates an example signal timing diagram of signals transmitted and received by a processor in a safety island after an uncorrected error (e.g., max) has been asserted, but the safety island has not received a mailbox interrupt, in accordance with some embodiments of the present disclosure. 1 is a flow diagram illustrating a method for writing data to a carve-out defined in a volatile memory shared by a safety island and other components of an automotive SoC, according to some embodiments of the present disclosure. 8 illustrates an example of an error detection block of a safety island that performs the method of FIG. 7 according to some embodiments of the present disclosure. FIG. 1 is a flow diagram illustrating a method for reading data from a carve-out according to some embodiments of the present disclosure. 10 illustrates an example of an error detection block of a safety island that performs the method of FIG. 9 in accordance with some embodiments of the present disclosure. FIG. 1 is a block diagram illustrating error notifications generated by an error detection block when the error detection block includes or is connected to egress and ingress timers, according to some embodiments. FIG. 1 is a diagram of an example autonomous vehicle in accordance with some embodiments of the present disclosure. 13 is an example of camera positions and fields of view for the example autonomous vehicle of FIG. 12 , in accordance with some embodiments of the present disclosure. FIG. 13 is a block diagram of an example system architecture for the example autonomous vehicle of FIG. 12 , in accordance with some embodiments of the present disclosure. FIG. 13 is a system diagram for communication between a cloud-based server and the example autonomous vehicle of FIG. 12 , in accordance with some embodiments of the present disclosure. FIG. 1 is a block diagram of an example computing device suitable for use in implementing some embodiments of the present disclosure.

Systems and methods related to isolating areas of circuitry operating at a higher risk level (e.g., ASIL-D) from other areas of circuitry operating at a lower risk level (e.g., ASIL-B) are disclosed. For example, an area or "island" dedicated to functional safety can be isolated (e.g., communication-wise) from other components on a system-on-chip ("SoC") such as an automotive SoC. FIG. 1 is a diagram of an example of an automotive platform 100 according to at least one embodiment. The automotive platform 100 can implement an autonomous or semi-autonomous vehicle, such as an example of an autonomous vehicle 1200 (see FIG. 12). The automotive platform 100 includes an on-board processing system 102 that can implement a level of driving autonomy higher than Level 0 (no driving automation) as defined by the Society of Automotive Engineers (SAE). For example, the in-vehicle processing system 102 may implement Level 2 (partial driving automation) through Level 5 (full driving automation) as defined by the SAE. Level 2 systems are sometimes referred to as Advanced Driver Assistance Systems (ADAS).

The vehicle processing system 102 includes at least one vehicle SoC 104. The vehicle SoC 104 performs at least some functions, but may offload one or more safety functions to an optional external control unit 106 (e.g., including an external ASIL-D microcontroller unit). The optional external control unit 106 may operate at and comply with a higher risk classification level (e.g., ASIL-D) than the vehicle SoC 104. In an embodiment including an optional external control unit 106, if a fault occurs in the vehicle SoC 104, the fault is communicated to the optional external control unit 106. This unit 106 may take one or more actions to return the vehicle platform 100 to a safe state. Thus, at least a portion of the safety functions may be performed by the optional external control unit 106. However, the optional external control unit 106 may introduce latency and may be expensive because it may require separate components such as DRAM, non-volatile memory, etc., each of which occupies space within the vehicle platform 100 (e.g., on a circuit board).

To avoid at least some of the latency and expense incurred by the optional external control unit 106, the vehicle platform 100 of FIG. 1 includes a functional safety island or safety island (SI) 110 integrated into the vehicle SoC 104. The SI 110 may be implemented as a compute cluster that operates at and complies with a higher risk classification level (e.g., ASIL-D) compared to the rest of the vehicle SoC 104. The SI 110 may perform at least some of the functions normally performed by the optional external control unit 106. The presence of the SI 110 allows the optional external control unit 106 to be omitted entirely or to be implemented using a lower performance and/or lower cost external control unit. For example, if present, the optional external control unit 106 may perform one or more legacy functions, such as providing communication over a Controller Area Network (CAN) bus, providing a reset controller for the vehicle SoC 104, and/or performing on-board voltage monitoring.

In addition to the vehicle SoC 104 and optional external control unit 106 (if present), the vehicle processing system 102 may include a first (SoC) clock 112 for the vehicle SoC 104, a second (SI) clock 114 for the SI 110, and a power management integrated circuit (IC) 116. Each of the components of the vehicle processing system 102 is implemented at least partially in hardware. Each of the logical components of the vehicle processing system 102 (e.g., the vehicle SoC 104 and optional external control unit 106) is typically implemented in hardware logic circuits in one or more integrated circuit chips. The logic may be hardwired or programmable, or a combination of hardwired and programmable elements. Additionally or alternatively, certain functions of the vehicle processing system 102 may be implemented in software or firmware executed by an embedded microprocessor or microcontroller.

The first clock 112 and the second clock 114 provide two separate clock signals to the vehicle SoC 104. Specifically, a first clock signal generated by the first (SoC) clock 112 is provided to the components 160 of the vehicle SoC 104 other than the SI 110, and a second clock signal generated by the second (SI) clock 114 is provided to the SI 110. Thus, the SI 110 and the other components 160 can be characterized as operating in separate clock domains. The clock domain of the SI 110 is referred to as the SI clock domain, and the clock domain of the other components 160 is referred to as the SoC clock domain. Each of the first clock 112 and the second clock 114 may be implemented at least in part as a crystal oscillator. The first (SoC) clock 112 may be connected to each of at least some of the other components 160 of the vehicle SoC 104 via a first clock connection (not shown), such as a wire, signal trace, etc. Thus, the first (SoC) clock 112 may provide a first clock signal to the other components 160 of the vehicle SoC 104 via the first clock connection (not shown). The second (SI) clock 114 may be connected to each of at least some of the components of the SI 110 via a second clock connection (not shown), such as a wire, signal trace, etc. Thus, the second (SI) clock 114 may provide a second clock signal to the SI 110 via the second clock connection (not shown).

The power management IC 116 provides power to the other components of the vehicle processing system 102. For example, power rails or connections 118A-118C connect the power management IC 116 to the other components 160 of the vehicle SoC 104, the SI 110, and the optional external control unit 106, respectively. The power connections 118A-118C serve to electrically isolate the other components 160 of the vehicle SoC 104, the SI 110, and the optional external control unit 106 (if present), respectively. Thus, the SI 110 can operate in a voltage domain separate from the other components 160 and the optional external control unit 106 (if present). The voltage domain of the SI 110 is referred to as the SI voltage domain, and the voltage domain of the other components 160 is referred to as the SoC voltage domain. The power management IC 116 can be implemented as one or more integrated circuits that provide sufficient power to the components of the vehicle processing system 102. Each of the power connections 118A-118C may be implemented as a conductive element, such as a power line, wire, power trace, etc.

As mentioned above, the SI 110 operates in the SI clock domain and the SI voltage domain. The SI clock domain and the SI voltage domain are collectively referred to as the SI domain. Similarly, the other components 160 operate in the SoC clock domain and the SoC voltage domain. The SoC clock domain and the SoC voltage domain are collectively referred to as the SoC domain.

Other components 160 of the automotive SoC 104 may include a main central processing unit (CPU) complex 120, an auxiliary safety unit 122, circuitry 124 for performing automotive SoC functions, volatile data storage or memory 126 (e.g., Dynamic Random Access Memory (DRAM)), and non-volatile data storage or memory 128. The main CPU complex 120 may be implemented as one or more processors operating at ASIL-B. In such an embodiment, the SI 110 may operate at a higher level of ASIL (e.g., ASIL-D), so that the automotive SoC 104 may operate at multiple or mixed ASILs. As non-limiting examples, the circuitry 124 may include hardware implementing one or more displays, one or more vehicle input/output (I/O) controllers, one or more memory controllers, one or more interconnects, etc. In the illustrated embodiment, the circuitry 124 is shown as including or implementing multiple logic blocks LB(1)-LB(N). Each of these logic blocks is often referred to as Intellectual Property (IP). The logic blocks LB(1)-LB(N) may implement various functions within an autonomous vehicle (e.g., autonomous vehicle 1200 shown in FIG. 12).

Optional external control unit 106 may include controller 130, fault aggregator 132, volatile data storage or memory 136 (e.g., DRAM), and non-volatile data storage or memory 138. Optional external control unit 106 may also include one or more logic blocks (not shown) that implement safety functions performed by optional external control unit 106. Controller 130 may be implemented as one or more processors (e.g., microcontrollers) operating in ASIL-D. Controller 130 executes instructions, such as instructions compliant with one or more Automotive Open System Architecture (AUTOSAR) software standards, stored in non-volatile memory 138. The instructions may direct controller 130 to take appropriate action if fault aggregator 132 receives a fault from vehicle SoC 104.

In one or more embodiments, the SI 110 includes a processor 140, an interrupt controller 141, an SI fault aggregator 142, a volatile data storage or memory 146 (e.g., a static random-access memory (SRAM)), and one or more logic blocks 148. The processor 140 may be implemented as a cluster of processors, such as a high-ranked ASIL-D safety processor. The processor 140 executes instructions 149, such as instructions conforming to the AUTOSAR software standard, retrieved at boot time from the non-volatile memory 128 and stored in the volatile memory 146. The instructions 149 may direct the processor 140 to take appropriate action if the SI fault aggregator 142 receives a fault from another component 160 of the vehicle SoC 104. The logic blocks 148 may aid in implementing safety features performed by the SI 110.

The auxiliary safety unit 122 may be implemented as a real-time safety auxiliary processing unit and/or may be ranked ASIL-B or higher. That is, the auxiliary safety unit 122 may operate at the same risk classification level as other components in the SoC domain or at a higher risk classification level. The auxiliary safety unit 122 includes a processor 150, one or more SoC fault aggregators 152, an interrupt controller 154, and one or more logic blocks called mailboxes 156. Each of the SI fault aggregator 142 and the fault aggregator 132 (if present) may receive faults from the SoC fault aggregator 152. Thus, the SoC fault aggregator 152 may be connected to the fault aggregator 132 via one or more fault interfaces 170 and to the SI fault aggregator 142 via one or more fault interfaces 172. Each of the fault interfaces 170 and 172 includes connections, such as wires, signal traces, etc., that physically connect each of the SoC fault aggregators 152 to a corresponding one of the fault aggregators 132 or SI fault aggregators 142.

The mailbox 156 may include a first mailbox that the processor 150 writes to and the processor 140 reads from, and a second mailbox that the processor 140 writes to and the processor 150 reads from. The mailbox 156 may be used by the processor 150 (e.g., a central processing unit ("CPU") of rank ASIL-B or higher) to report mailbox interrupts to the interrupt controller 141 and to receive interrupts from the interrupt controller 141. Thus, the fault interface 172 includes at least one signal conductor connecting the mailbox 156 to the interrupt controller 141. Each mailbox interrupt includes a severity identifier that indicates the severity of the error. As a non-limiting example, the severity identifier may be a numeric value from a minimum value (e.g., zero) to a maximum value (e.g., seven). As another non-limiting example, the interrupt may have an interrupt number that is a priori encoded to indicate the severity. The processor 140 and/or the processor 150 may write fault information to the mailbox 156. The failure information includes information about the error that caused the failure, such as the name of the logical block where the error occurred, the logical block diagnosis identifier, the nature of the failure, and a severity identifier.

Integrating the SI 110 into the vehicle SoC 104 may allow a number of separate components (e.g., volatile memory 136 and non-volatile memory 138) to be omitted from the vehicle processing system 102 if the optional external control unit 106 is also omitted. Nevertheless, it is necessary to isolate the SI 110 from the other components 160 of the vehicle SoC 104 (e.g., the main CPU complex 120, the auxiliary safety unit 122, the circuitry 124, the volatile memory 126, and the non-volatile memory 128) so that problems that may occur in one or more of the other components 160 do not adversely affect the SI 110. For example, such isolation may help to ensure that the SI 110 is not affected by a stall condition that occurs in one or more of the other components 160 of the vehicle SoC 104. Non-limiting examples of the types of stall conditions that may occur in one or more of the other components 160 include random failures, clock problems, power problems, and/or voltage problems. Due to the spatial proximity and one or more interfaces 200 (see FIG. 2 ) that the SI 110 shares with other components 160 of the vehicle SoC 104, such a stall condition may be transferred to the SI 110, thereby preventing the SI 110 from executing fallback and/or fail-safe functions integrated into the vehicle SoC 104. The vehicle processing system 102 thus isolates the SI 110 from the other components 160 of the vehicle SoC 104, providing isolation comparable to that between the vehicle SoC 104 and the optional external control unit 106. Such isolation may be provided by the first and second clocks 112 and 114, the first and second power connections 118A and 118B, and the interfaces 200.

The first (SoC) clock 112 is separate from the second (SI) clock 114 (e.g., including a separate reference crystal), which helps to isolate the SI 110 from the other components 160 of the vehicle SoC 104. Similarly, the first power connection 118A is separate from the second power connection 118B, which helps to isolate the SI 110 from the other components 160 of the vehicle SoC 104. As mentioned above, the SI 110 may operate in a separate SI voltage domain from the other components 160 of the vehicle SoC 104. However, even with the separate second (SI) clock 114 and the separate second power connection 118B, the SI 110 still communicates with the other components 160 of the vehicle SoC 104 via an interface 200 (see FIG. 2).

The logic block 148 includes a clock and reset circuit 230 (see FIG. 2) connected to a dedicated second (SI) clock 114. The dedicated second (SI) clock 114 may be used as a reference clock for the clock and reset circuit 230. For example, the clock and reset circuit 230 may include an internal dedicated phase-locked loop (PLL) used to derive other functional and debug clocks for the SI 110. As a non-limiting example, the clock and reset circuit 230 may provide debug and test clock signals that may be derived from the PLL. The clock and reset circuit 230 may generate all clock and reset signals used within the SI 110. That is, the clock and reset circuit 230 may generate clock signals and resets used within the SI domain. Additionally or alternatively, the second (SI) clock 114 may be used directly as one or more functional clocks of the logic block 148. In this manner, SI 110 uses locally generated clock signals and resets and/or clock signals provided by the second (SI) clock 114. SI 110 does not use clock signals or resets from other components 160. Clock and reset circuit 230 helps ensure that perturbations from logic generating resets (e.g., reset blocks) in other components 160 do not reach the components of SI 110.

2 is a diagram of an interface 200 connecting the SI 110 to other components 160 of the automotive SoC 104, according to at least one embodiment. Referring to FIG. 2, the interface 200 provides logical separation of the circuitry and logic of the SI 110 within the automotive SoC 104. In the illustrated embodiment, the interface 200 includes a fault interface 172, a volatile memory interface 200A, a first control backbone interface 200B, a second control backbone interface 200C, a secure content interface 200D, a debug interface 200E, and a test interface 200F. The fault interface 172 may not be logically separate from the SoC fault aggregator 152, but each fault interface may pass through or include one or more voltage level shifters 240. Each voltage level shifter 240 provides electrical separation between the SI voltage domain and the SoC voltage domain. Although each of the voltage level shifters 240 provides electrical isolation, the voltage level shifters 240 may not provide adequate isolation for some types of faults, such as interrupt storms, fault storms, and/or continuous assertions. The SI fault aggregator 142 may include one or more status bits 242 that receive fault information via the fault interface 172 and provide notification of such faults to the instructions 149 executed by the processor 140. In the illustrated embodiment, the status bits 242 include status bits "BT1", "BT2", and "BT3" (see FIG. 4). The instructions 149 instruct the processor 140 to use the notification to mitigate a stall condition that occurs at the fault interface 172.

The volatile memory interface 200A is an interface between the processor 140 and the volatile memory 126 of the vehicle SoC 104. The volatile memory interface 200A allows the processor 140 to write information to and read information from the volatile memory 126. The volatile memory interface 200A includes one or more connections to the volatile memory 126, such as wires, signal traces, etc. The volatile memory interface 200A may include a logical isolation control 220, an access timer 222, and a domain synchronization circuit 224. The logical isolation control 220 includes a gate or locking mechanism that can be selectively locked and unlocked by the processor 140. The access timer 222 allows access attempts initiated by the processor 140 to time out.

The domain synchronization circuit 224 includes a phase-locked loop and a voltage level shifter. The phase-locked loop serves to synchronize the phase of signals communicated across the SI and SoC domains generated using separate first and second clocks 112 and 114 (see FIG. 1). The reset generated by the clock and reset circuit 230 can be used by any element that crosses the SI and SoC voltage and clock domains, such as the phase-locked loop. The phase-locked loop has a SoC portion and an SI portion, each of which can function as a separate synthesis top. The SoC portion physically resides in the SoC domain, and the SI portion physically resides in the SI domain. Logic in both the SI and SoC portions uses the reset generated by the clock and reset circuit 230. Thus, a reset generated by the SI 110 may be used by logic on the vehicle SoC 104, which may operate at a lower ASIL than the SI 110, but a reset generated by the vehicle SoC 104 is not communicated to the SI 110 and cannot be used by the SI 110. As a non-limiting example, the phase-locked loop may be implemented as a split first-in-first-out (FIFO), or the like. The voltage level shifter of the domain synchronization circuit 224 is substantially identical to the voltage level shifter 240 and may adjust the voltage of signals transmitted through the SI and SoC voltage domains to allow the signals to communicate safely through the SI and SoC domains. If the access timer 222 indicates that an access by the processor 140 has timed out, the request may be removed from the domain synchronization circuit 224 (e.g., popped from the split FIFO).

When the volatile memory interface 200A is unlocked, the processor 140 can access the volatile memory 126, which starts the access timer 222. If the access timer 222 indicates that more than a first predetermined time has elapsed and no response has been received from the volatile memory 126, the processor 140 indicates a safety fault and uses the logical isolation control unit 220 to lock the volatile memory interface 200A. Optionally, it locks any of the unlocked interfaces 200, and optionally takes one or more actions configured to return the vehicle platform 100 (see FIG. 1) to a safe state. On the other hand, if a response is received before the access timer 222 indicates that the first predetermined time has elapsed, the access timer 222 resets itself, the processor 140 completes the access, and the processor 140 locks the volatile memory interface 200A after the access is completed. Thus, the volatile memory interface 200A remains locked whenever the processor 140 is not accessing the volatile memory 126. This helps protect the SI 110 from faults and/or outages migrating from the volatile memory 126 to the SI 110.

The first control backbone interface 200B and the second control backbone interface 200C are interfaces between the processor 140 and the control backbone 210. The control backbone 210 may be implemented as a bus or the like. The first control backbone interface 200B is for communication from the processor 140 to the control backbone 210, and the second control backbone interface 200C is for communication from the control backbone 210 to the processor 140. As a non-limiting example, the processor 140 can access at least some of the other components 160 of the vehicle SoC 104 (e.g., the circuit 124, the mailbox 156, and the non-volatile memory 128) via the control backbone 210.

The first control backbone interface 200B allows the processor 140 to send commands and/or information to the control backbone 210. The first control backbone interface 200B may include a logical isolation control 220, an access timer 222, a domain synchronization circuit 224, and a firewall 226. The logical isolation control 220 of the first control backbone interface 200B is substantially identical to and functions substantially identically to the logical isolation control 220 of the volatile memory interface 200A. Thus, the logical isolation control 220 of the first control backbone interface 200B allows the processor 140 to lock and unlock the first control backbone interface 200B. The access timer 222 of the first control backbone interface 200B allows access attempts initiated by the processor 140 to time out. The domain synchronization circuit 224 of the first control backbone interface 200B is substantially identical to and functions substantially identically to the domain synchronization circuit 224 of the volatile memory interface 200A. The firewall 226 of the first control backbone interface 200B implements one or more security rules and allows or blocks each communication based on the security rules.

The second control backbone interface 200C allows the processor 140 to receive instructions and/or information from the control backbone 210. The second control backbone interface 200C may include a logical isolation control unit 220, a domain synchronization circuit 224, and a firewall 226. The logical isolation control unit 220 of the second control backbone interface 200C is substantially identical to and functions substantially identically to the logical isolation control unit 220 of the volatile memory interface 200A. Thus, the logical isolation control unit 220 of the second control backbone interface 200C allows the processor 140 to lock and unlock the second control backbone interface 200C. The domain synchronization circuit 224 of the second control backbone interface 200C is substantially identical to and functions substantially identically to the domain synchronization circuit 224 of the volatile memory interface 200A. The firewall 226 of the second control backbone interface 200C implements one or more security rules and allows or blocks each communication based on the security rules.

The secure content interface 200D is an interface between the processor 140 and the secure content circuit 212. The secure content interface 200D allows the processor 140 to receive instructions and/or information (e.g., secure and/or confidential content) from the secure content circuit 212. The secure content interface 200D may include a logical isolation control 220 and a domain synchronization circuit 224. The logical isolation control 220 of the secure content interface 200D is substantially identical to and functions substantially identically to the logical isolation control 220 of the volatile memory interface 200A. Thus, the logical isolation control 220 of the secure content interface 200D allows the processor 140 to lock and unlock the secure content interface 200D. The domain synchronization circuit 224 of the secure content interface 200D is substantially identical to the domain synchronization circuit 224 of the volatile memory interface 200A and functions substantially identically.

The debug interface 200E is an interface between the processor 140 and the debug circuit 214. The debug interface 200E allows the processor 140 to receive instructions and/or information from the debug circuit 214. The debug interface 200E may include a logical isolation control unit 220 and a domain synchronization circuit 224. The logical isolation control unit 220 of the debug interface 200E is substantially identical to and functions substantially identically to the logical isolation control unit 220 of the volatile memory interface 200A. Thus, the logical isolation control unit 220 of the debug interface 200E allows the processor 140 to lock and unlock the debug interface 200E. The domain synchronization circuit 224 of the debug interface 200E is substantially identical to and functions identically to the domain synchronization circuit 224 of the volatile memory interface 200A. As previously described, the SI 110 and the other components 160 operate in separate clock domains. In one or more embodiments, the SI 110 is not provided with a signal from one or more external clocks of other components 160 of the vehicle SoC 104, such as the debug circuit 214. The debug functions performed by the vehicle SoC 104 receive a debug clock signal via the domain synchronization circuit 224 of the debug interface 200E. This signal switches or converts the debug functions performed by the vehicle SoC 104 to using the debug clock signal generated by the SI 110 and/or the second (SI) clock 114. While the SI 110 is in mission mode (e.g., while the vehicle is moving), the debug logic is not used, so the SI 110 includes a first clock gate on the debug clock to prevent possible interference caused by the debug clock signal. As a non-limiting example, the first clock gate can be a component of the clock and reset circuit 230. The first clock gate can be controlled (e.g., selectively switched on and off) using a first configuration bit set by the processor 140.

The test interface 200F is an interface between the processor 140 and the test circuit 216. The test interface 200F allows the processor 140 to receive instructions and/or information from the test circuit 216. The test interface 200F may include a logical isolation control unit 220 and a domain synchronization circuit 224. The logical isolation control unit 220 of the test interface 200F is substantially identical to and functions substantially identically to the logical isolation control unit 220 of the volatile memory interface 200A. Thus, the logical isolation control unit 220 of the test interface 200F allows the processor 140 to lock and unlock the test interface 200F. The domain synchronization circuit 224 of the test interface 200F is substantially identical to and functions substantially identically to the domain synchronization circuit 224 of the volatile memory interface 200A. As previously mentioned, external signals from one or more of the other components 160 of the vehicle SoC 104, such as the test circuitry 216, are prevented by this configuration from being provided to the SI 110. The test functions performed by the vehicle SoC 104 receive a test clock signal via the domain synchronization circuitry 224 of the debug interface 200E. This signal switches or converts the test functions performed by the vehicle SoC 104 to using the test clock signal generated by the SI 110 and/or the second (SI) clock 114. While the SI 110 is in mission mode (e.g., while the vehicle is moving), the test logic is not used, so the SI 110 includes a second clock gate on the test clock to prevent possible interference caused by the test clock signal. As a non-limiting example, the second clock gate can be a component of the clock and reset circuitry 230. The second clock gate can be controlled (e.g., selectively turned on and off) using a second configuration bit set by the processor 140.

SI 110 has at least two operating modes: isolated or cocoon mode and non-isolated mode. When SI 110 is operating in cocoon mode, the only information from the vehicle SoC 104 that is allowed to enter SI 110 is fault information, which enters SI 110 via fault interface 172. In this manner, SI fault aggregator 142 maintains a cumulative health state of the vehicle SoC 104 and SI 110. On the other hand, when SI 110 is operating in non-isolated mode, information can enter SI 110 via one or more of interfaces 200. Whether SI 110 is operating in cocoon mode or non-isolated mode is determined at least in part by instructions 149 executed by processor 140 and at least in part by interface 200.

To help prevent potential safety-critical issues occurring in other components 160 of the vehicle SoC 104 from reaching the SI 110 through one or more of the interfaces 200, each of the interfaces 200 includes a separate logical isolation control 220 that can be selectively locked or unlocked by the processor 140. When the locking mechanism of the logical isolation control 220 is locked by the processor 140, the locking mechanism prevents all communication between the vehicle SoC 104 and the SI 110 through the locked interface. On the other hand, the interface can be unlocked by the processor 140 to allow such communication through the unlocked interface. Thus, the processor 140 can selectively put the SI 110 into a cocoon mode or a non-isolated mode. Whenever all the interfaces 200 are locked, the processor 140 cannot access either the volatile memory 126 or the non-volatile memory 128, and executes instructions 149 stored in the volatile memory 146 (e.g., SRAM) present in the SI 110.

3, each block of the method 300 described herein includes a computing process that may be performed using any combination of hardware, firmware, and/or software. For example, various functions may be performed by a processor (e.g., processor 140 shown in FIG. 1, FIG. 2, and FIG. 4) executing instructions (e.g., instructions 149 shown in FIG. 1, FIG. 2, and FIG. 4) stored in a memory (e.g., volatile memory 146 shown in FIG. 1, FIG. 2, and FIG. 4). The method 300 may also be embodied as computer usable instructions stored on a computer storage medium. The method 300 may be provided by a standalone application, a service or a host service (standalone or in combination with another host service), or a plug-in to another product, to name a few. Also, the method 300 is described with respect to the vehicle platform 100 of FIG. 1 as an example. However, the method 300 may additionally or alternatively be performed by any one system or any combination of systems, including but not limited to those described herein.

FIG. 3 is a flow diagram illustrating a method 300 for transitioning the SI 110 between the cocoon mode and the non-isolated mode, according to some embodiments of the present disclosure. For ease of explanation, the method 300 is described as being performed by the processor 140 (see FIGS. 1, 2, and 4). Referring to FIG. 3, in a first block 302, the processor 140 determines that it is necessary to communicate with one of the other components 160 (see FIGS. 1 and 2) of the vehicle SoC 104. For example, this communication may occur via the volatile memory interface 200A or the first control backbone interface 200B. Each of these interfaces allows the SI 110 to initiate communication with the other components 160 of the vehicle SoC 104. Alternatively, this communication may occur via the second control backbone interface 200C, the secure content interface 200D, the debug interface 200E, or the test interface 200F. Each of these interfaces allows the SI 110 to receive communications initiated by other components 160 of the vehicle SoC 104. As mentioned above, regardless of whether the SI 110 is in cocoon mode or non-isolated mode, communications occur through the fault interface 172 (see FIG. 2).

Whenever the processor 140 needs to communicate with a particular one of the other components 160 of the vehicle SoC 104, the processor 140 determines that it is safe to communicate with that particular component before attempting communication. To make this determination, in block 304, the processor 140 may check the contents of the SI fault aggregator 142, which receives fault information from the SoC fault aggregator 152, which is external to the SI 110, via a fault interface 172 (see FIG. 2). As mentioned above, the fault interface 172 is not logically separate from the SoC fault aggregator 152, but each fault interface may pass through or include a voltage level shifter 240 that provides electrical isolation between the SI voltage domain and the SoC voltage domain.

In decision block 306, the processor 140 determines whether a fault is detected in the SI fault aggregator 142. If at least one fault is detected, i.e., if a fault identified for one or more of the other components 160 is reported by the SoC fault aggregator 152 to the SI fault aggregator 142, the determination in decision block 306 is "yes". The processor 140 may detect the fault using a status bit 242 in the SI fault aggregator 142. The status bit 242 may be characterized to track the health of the vehicle SoC 104. Alternatively, the SI fault aggregator 142 may notify the processor 140 of the fault by sending an interrupt to the processor 140. Otherwise, if no fault is detected, the determination in decision block 306 is "no".

If the determination at decision block 306 is "yes," then at block 308, the processor 140 may take one or more corrective actions. The corrective actions may serve to place the vehicle in a safe condition. By way of non-limiting example, such corrective actions may include braking the vehicle, slowing the vehicle, routing the vehicle to a shoulder, etc. The processor 140 may then return to block 304.

If the determination in decision block 306 is "no", in block 310, the processor 140 unlocks the locking mechanism of the logical isolation control unit 220 of a specific interface among the interfaces 200 connected to a specific component if the locking mechanism of the specific interface is locked. In other words, the processor 140 can determine that a specific component of the vehicle SoC 104 can be safely accessed through the specific interface if no fault is stored in the SI fault aggregator 142. Therefore, the processor 140 unlocks the specific interface in block 310.

Next, in block 312, the processor 140 can send a communication to or receive a communication from the particular component through the unlocked particular interface. The particular interface automatically starts the access timer 222 for the particular interface. Once the particular interface is unlocked, the processor 140 can initiate one or more strongly ordered accesses (one at a time) to the vehicle SoC 104. The access timer 222 starts automatically for each access. Thus, the access timer 222 can start counting down as soon as the particular access is initiated by the processor 140.

In decision block 314, processor 140 determines whether a timeout has occurred. If access timer 222 has exceeded the first predetermined time and indicates that a response has not been received from the particular component, then decision block 314 returns a "yes" determination. Otherwise, if a response is received from the particular component before access timer 222 has exceeded the first predetermined time, then decision block 314 returns a "no" determination.

If the determination at decision block 314 is "yes," then at block 316, the processor 140 indicates that a safety fault has occurred. Next, at block 318, the processor 140 locks the locking mechanism of the logical isolation control 220 of the particular interface, optionally locks the locking mechanism of the logical isolation control 220 of any other interfaces that are unlocked, and optionally takes one or more actions configured to return the vehicle platform 100 to a safe state.

On the other hand, if the determination at decision block 314 is "no," then at block 320, the processor 140 completes the communication. The access timer 222 is automatically reset. Next, at block 318, the processor 140 locks the locking mechanism of the particular interface. Thus, the method 300 ensures that the interface 200 remains locked whenever the processor 140 is not accessing one of the other components 160 of the vehicle SoC 104. The method 300 then ends.

The SI 110 can avoid accessing the shared non-volatile memory 128 by copying the instructions 149 (e.g., critical instructions for putting the system into a safe state) from the shared non-volatile memory 128 to its internal volatile memory 146 when the vehicle SoC 104 is booted. The processor 140 can authenticate and verify the instructions 149 before the SI 110 enters a mission mode that enables the vehicle's driving cycle. The SI 110 can operate simultaneously in the mission mode and either the cocoon mode or the non-isolated mode. The instructions 149 remain in the volatile memory 146. This can avoid the processor 140 accessing the shared non-volatile memory 128. For example, non-critical data such as application code, fusion data, etc. can be retrieved from the shared volatile memory 126 using an internal Direct Memory Access (DMA) engine 402 (see FIG. 4) included in the SI 110. DMA engine 402 may optionally be a component of processor 140. A failure of DMA engine 402 does not adversely affect processor 140 because processor 140 continues to execute instructions 149 stored in volatile memory 146, even if DMA engine 402 fails while paging data retrieved from shared volatile memory 126.

4 is a diagram of a fault interface 172 according to some embodiments of the present disclosure. Referring to FIG. 4, the logic blocks LB(1)-LB(N) of the vehicle SoC 104 may have associated first fault aggregators 260-1-260-N, respectively. The first fault aggregators 260-1-260-N aggregate faults generated by the logic blocks LB(1)-LB(N), respectively, and transmit a first aggregated fault signal to the auxiliary safety unit 122 of the vehicle SoC 104. The auxiliary safety unit 122 implements a second SoC fault aggregator 152 that aggregates the first aggregated fault signals received from the first fault aggregators 260-1-260-N and transmits one or more second aggregated fault signals, if present, to the optional external control unit 106 (see FIG. 1). When the optional external control unit 106 is notified of the fault by the second aggregated fault signal, the optional external control unit 106 can take one or more actions from among several possible actions. First, the optional external control unit 106 can clear the fault. Second, the optional external control unit 106 can take corrective action. Third, the optional external control unit 106 can notify an external system (e.g., one or more external microcontrollers, one or more external agents, etc.). However, as previously mentioned, in some embodiments the optional external control unit 106 may be omitted.

With reference to FIG. 1, as previously mentioned, while SI 110 is isolated from the other components 160 of the vehicle SoC 104, at least some communication needs to be enabled between SI 110 and the other components 160 of the vehicle SoC 104. In particular, faults occurring in logic blocks LB(1)-LB(N) of the vehicle SoC 104 must be communicated to SI 110 via fault interface 172. One way to provide such communication is to have the first fault aggregators 260-1-260-N (see FIG. 4) transmit a first aggregated fault signal directly to SI 110. To do so, fault interface 172 needs to include separate transmission lines or signal conductors between SI 110 and each of the first fault aggregators 260-1-260-N. This is complicated by the isolation of SI 110 from the other components 160 of the vehicle SoC 104. For example, referring to FIG. 2, voltage level shifter 240 must include a separate voltage level shifter for each signal conductor. Furthermore, the greater the number of signal conductors between SI 110 and other components 160 on vehicle SoC 104, the more vulnerable SI 110 becomes to interference generated on vehicle SoC 104.

4, each of the SoC fault aggregators 152 can be connected to the SI 110 by three signal conductors: (1) a corrected error signal conductor 410, (2) an uncorrected error signal conductor 412, and (3) a SoC fault aggregator signal conductor 414. This arrangement allows the fault interface 172 to report faults from logic blocks LB(1)-LB(N) to the SI 110 without including so many conductors in the fault interface 172 that they would cause electrical interference, and without making the fault interface 172 so large that it would cause congestion in the vehicle SoC 104 and/or the SI 110. The signal conductors 410, 412, and 414 can set status bits "BT1", "BT2", and "BT3", respectively. After each of the status bits is set, it can subsequently be cleared by the processor 140.

The mailbox 156 may be connected to the interrupt controller 141 of the SI 110 by a mailbox interrupt signal conductor 416. Each of the signal conductors 410-416 may be implemented as a wire, a signal trace, or the like.

5A is a flow diagram illustrating a method 500 of communicating a fault to the SI 110 (see FIGS. 1, 2, 4, 8, and 10) according to some embodiments of the present disclosure. Referring now to FIG. 5A, each block of the method 500 described herein includes a computing process that may be performed using any combination of hardware, firmware, and/or software. For example, various functions may be performed by a processor (e.g., the processor 150 shown in FIGS. 1 and 4) executing instructions stored in a memory. At least a portion of the method 500 may also be embodied as computer usable instructions stored on a computer storage medium. The method 500 may be provided by a standalone application, a service or a host service (standalone or in combination with another host service), or a plug-in to another product, to name a few. Also, the method 500 is described with respect to the vehicle platform 100 of FIG. 1 as an example. However, the method 500 may additionally or alternatively be performed by any one system or any combination of systems, including but not limited to those described herein.

For ease of explanation, method 500 is described as being performed by a particular one of the SoC fault aggregators 152 (see FIGS. 1, 2, and 4). That is, method 500 may be performed by hardware. Referring to FIG. 5A, in a first block 502, the particular SoC fault aggregator receives a first aggregated fault signal from at least a portion of first fault aggregators 260-1 through 260-N (see FIGS. 2 and 4).

In block 506, the particular SoC fault aggregator aggregates the first aggregated fault signals, which identify faults caused by the corrected errors, into a corrected error signal. Then, in block 508, the particular SoC fault aggregator transmits the corrected error signal to the SI 110 (see FIGS. 1, 2, 4, 8, and 10) via the corrected error signal conductor 410 (see FIG. 4). In block 510, the particular SoC fault aggregator sends an interrupt for each corrected error to the interrupt controller 154 (see FIGS. 1 and 4). The interrupt controller 154 forwards the interrupt to the processor 150 (see FIGS. 1 and 4) of the auxiliary safety unit 122 (see FIGS. 1 and 4). Each interrupt notifies the processor 150 of the corrected error associated with the interrupt.

In block 512, the particular SoC fault aggregator starts a corrected error timer 420C (see FIG. 4) for the first corrected error identified in the corrected error signal.

In decision block 514, the particular SoC fault aggregator determines whether the first corrected error has been cleared from the particular SoC fault aggregator. If the first corrected error has been cleared before the corrected error timer 420C (see FIG. 4) indicates that the second predetermined time has elapsed, the decision in decision block 514 is "yes". Otherwise, the decision in decision block 514 is "no". If the decision in decision block 514 is "yes", then in block 515, the particular SoC fault aggregator takes no action. On the other hand, if the decision in decision block 514 is "no", then the particular SoC fault aggregator proceeds to decision block 516.

In decision block 516, the processor 150 determines whether the corrected error timer 420C (see FIG. 4) indicates that more than a second predetermined time has elapsed, i.e., whether the corrected error timer 420C has timed out or expired. If the second predetermined time has elapsed, the decision at decision block 516 is "yes." Otherwise, the decision at decision block 516 is "no." If the decision at decision block 516 is "yes," the particular SoC fault aggregator proceeds to block 518. Otherwise, if the decision at decision block 516 is "no," the particular SoC fault aggregator returns to decision block 514 and waits for the first corrected error to be cleared by the processor 150. Thus, the particular SoC fault aggregator continues to monitor whether the first corrected error has been cleared and whether the corrected error timer 420C has expired. If the first corrected error is cleared before the corrected error timer 420C expires, the particular SoC fault aggregator takes no action at block 515. On the other hand, if the corrected error timer 420C expires before the first corrected error is cleared, the particular SoC fault aggregator proceeds to block 518. At block 518, the particular SoC fault aggregator sends a SoC fault aggregator signal to the SI 110 (see FIGS. 1, 2, 4, 8, and 10) via the SoC fault aggregator signal entity 414 (see FIG. 4).

In block 520, the particular SoC fault aggregator aggregates the first aggregated fault signals received in block 502, which identify faults caused by uncorrected errors, into an uncorrected error signal. Then, in block 522, the particular SoC fault aggregator transmits the uncorrected error signal to the SI 110 (see FIGS. 1, 2, 4, 8, and 10) via the uncorrected error signal conductor 412 (see FIG. 4). In block 524, the particular SoC fault aggregator sends an interrupt for each uncorrected error to the interrupt controller 154 (see FIGS. 1 and 4). The interrupt controller 154 forwards the interrupt to the processor 150 (see FIGS. 1 and 4) of the auxiliary safety unit 122 (see FIGS. 1 and 4). Each interrupt notifies the processor 150 of the uncorrected error associated with the interrupt.

In block 526, the particular SoC fault aggregator starts an uncorrected error timer 420U (see FIG. 4) for the first uncorrected error identified in the uncorrected error signal.

In decision block 528, the particular SoC fault aggregator determines whether the first uncorrected error has been cleared from the particular SoC fault aggregator. If the first uncorrected error has been cleared before the uncorrected error timer 420U (see FIG. 4) indicates that the third predetermined time has elapsed, the decision in decision block 528 is "yes". Otherwise, the decision in decision block 528 is "no". If the decision in decision block 528 is "yes", then in block 529, the particular SoC fault aggregator takes no action. If the decision in decision block 528 is "no", then the particular SoC fault aggregator proceeds to decision block 530.

In decision block 530, processor 150 determines whether uncorrected error timer 420U indicates that more than a third predetermined time has elapsed, i.e., whether uncorrected error timer 420U (see FIG. 4) has timed out or expired. If the third predetermined time has elapsed, the decision of decision block 530 is "yes." Otherwise, the decision of decision block 530 is "no." If the decision of decision block 530 is "yes," the particular SoC fault aggregator proceeds to block 532. On the other hand, if the decision of decision block 530 is "no," the particular SoC fault aggregator returns to decision block 528 and waits for the first uncorrected error to be cleared by processor 150. Thus, the particular SoC fault aggregator continues to monitor whether the first uncorrected error has been cleared and whether uncorrected error timer 420U has expired. If the first uncorrected error is cleared before the uncorrected error timer 420U expires, the particular SoC fault aggregator takes no action at block 529. On the other hand, if the uncorrected error timer 420U expires before the first uncorrected error is cleared, the particular SoC fault aggregator proceeds to block 532. In block 532, the particular SoC fault aggregator sends a SoC fault aggregator signal to the SI 110 (see FIGS. 1, 2, 4, 8, and 10) via the SoC fault aggregator signal entity 414 (see FIG. 4). At this point, the method 500 ends.

FIG. 5B is a flow diagram illustrating a method 540 that the processor 150 (see FIGS. 1 and 4) may use to process an interrupt received from the SoC fault aggregator 152 (see FIGS. 1, 2, and 4) according to some embodiments of the present disclosure. Referring now to FIG. 5B, each block of the method 540 described herein includes a computing process that may be performed using any combination of hardware, firmware, and/or software. For example, various functions may be performed by a processor (e.g., the processor 150) executing instructions stored in a memory. At least a portion of the method 540 may also be embodied as computer usable instructions stored on a computer storage medium. The method 540 may be provided by a standalone application, a service or a host service (standalone or in combination with another host service), or a plug-in to another product, to name a few examples. Also, the method 540 is described with respect to the vehicle platform 100 of FIG. 1 as an example. However, method 540 may additionally or alternatively be performed by any one system or any combination of systems, including but not limited to those described herein.

For ease of explanation, method 540 is described as being performed by processor 150 (see FIGS. 1 and 4). Referring to FIG. 5B, in a first block 541, processor 150 receives a particular interrupt from a particular one of SoC fault aggregators 152. Then, in block 542, processor 150 may triage one or more errors identified in the particular interrupt and take one or more corrective actions to address the errors.

If a problem occurs while processor 150 is triaging the error and/or taking corrective action, processor 150 may not be able to continue processing the particular interrupt. If this occurs, the determination at decision block 543 is "yes" and processor 150 takes no further action with respect to the particular interrupt in block 544. On the other hand, if processor 150 is able to triage the particular interrupt and, optionally, take corrective action, the determination at decision block 543 is "no". If the determination at decision block 543 is "no", in block 545 processor 150 writes information related to the particular interrupt to mailbox 156, which processor 140 can read. Then, in block 546, processor 150 sends a mailbox interrupt to interrupt controller 141 via mailbox interrupt signal conductor 416. The mailbox interrupt indicates the severity of the error identified in the interrupt received in block 541.

Next, in decision block 547, processor 150 determines whether processor 150 should clear the fault that generated the particular interrupt from the particular SoC fault aggregator. If processor 150 determines to clear the fault, the decision in decision block 547 is "yes". Otherwise, the decision in decision block 547 is "no". The decision in decision block 547 may be "yes" if the corrective action taken by processor 150 was able to address the error or the fault was generated by a corrected error (e.g., an error corrected by one of logic blocks LB(1)-LB(N)). As another non-limiting example, the decision in decision block 547 may be "yes" if processor 150 receives a mailbox interrupt from processor 140 indicating that processor 140 has cleared the error. If the decision in decision block 547 is "no", in block 548, processor 150 does not take further action with respect to the particular interrupt. On the other hand, if the determination at decision block 547 is "yes," then at block 549, processor 150 clears the fault from the particular SoC fault aggregator. Processor 150 may notify processor 140 that the fault has been cleared from the particular SoC fault aggregator. Method 540 then ends.

FIG. 5C is a flow diagram illustrating a method 550 that the SI 110 (see FIGS. 1, 2, 4, 8, and 10) may use to process corrected and uncorrected error signals, according to some embodiments of the present disclosure. Now, referring to FIG. 5C, each block of the method 550 described herein includes a computing process that may be performed using any combination of hardware, firmware, and/or software. For example, various functions may be performed by a processor (e.g., processor 140 shown in FIGS. 1, 2, and 4) executing instructions (e.g., instructions 149 shown in FIGS. 1, 2, and 4) stored in a memory (e.g., volatile memory 146 shown in FIGS. 1, 2, and 4). At least a portion of the method 550 may also be embodied as computer usable instructions stored on a computer storage medium. The method 550 may be provided by a standalone application, a service or a host service (standalone or in combination with another host service), or a plug-in to another product, to name a few examples. Also, the method 550 is described with respect to the vehicle-mounted platform 100 of FIG. 1 as an example. However, the method 550 may additionally or alternatively be performed by any one system or any combination of systems, including but not limited to those described herein.

For ease of explanation, method 550 is described as being performed by SI fault aggregator 142 (see FIGS. 1, 2, and 4) and processor 140 (see FIGS. 1, 2, and 4). Referring to FIG. 5C, in a first block 552, SI fault aggregator 142 of SI 110 (see FIGS. 1, 2, 4, 8, and 10) receives a corrected error signal that sets status bit "BT1" and/or an uncorrected error signal that sets status bit "BT2". When SI fault aggregator 142 receives a corrected error signal on corrected error signal conductor 410, in block 554, SI fault aggregator 142 sends an interrupt to interrupt controller 141 of processor 140 (see FIGS. 1, 2, and 4). The interrupt informs processor 140 of the corrected error.

In decision block 556, processor 140 (see FIGS. 1, 2, and 4) determines whether it has received a mailbox interrupt from processor 150 (see FIGS. 1 and 4) via mailbox interrupt signal conductor 416. If a mailbox interrupt has been received, the mailbox interrupt indicates the severity of the corrected error. If processor 140 has received a mailbox interrupt, the decision at decision block 556 is "yes." Otherwise, the decision at decision block 556 is "no." If the decision at decision block 556 is "no," then in block 558, processor 140 waits to receive either a mailbox interrupt or a SoC fault aggregator signal. If the decision at decision block 556 is "yes," processor 140 proceeds to decision block 560.

At decision block 560, processor 140 (see FIGS. 1, 2, and 4) determines whether to read mailbox 156. This determination may be based at least in part on the severity of the corrected errors communicated to processor 140 by the mailbox interrupt. For example, processor 140 may determine not to read mailbox 156 if the severity of the corrected errors is equal to or greater than a threshold (e.g., 7) and may determine to read mailbox 156 if the severity of the corrected errors is below the threshold. If the determination at decision block 560 is "yes," then at block 562, processor 140 reads mailbox 156. Processor 140 then proceeds to block 564, where processor 140 clears the corrected errors, for example, by unsetting status bit "BT1." If the determination at decision block 560 is "no," processor 140 proceeds to block 564, where processor 140 clears the corrected errors, for example, by unsetting status bit "BT1." Before processor 140 clears the corrected error from SI fault aggregator 142, processor 140 may wait for notification from processor 150 that the fault corresponding to the corrected error has been cleared from the particular SoC fault aggregator. However, since the error has been corrected, in some embodiments processor 140 may simply clear the corrected error without first receiving such notification.

When the SI fault aggregator 142 receives an uncorrected error signal on the uncorrected error signal conductor 412, in block 566, the SI fault aggregator 142 sends an interrupt to the interrupt controller 141 (see Figures 1, 2, and 4) of the processor 140. The interrupt informs the processor 140 of the uncorrected error.

In decision block 568, processor 140 (see FIGS. 1, 2, and 4) determines whether a mailbox interrupt has been received from processor 150 (see FIGS. 1 and 4) via mailbox interrupt signal conductor 416. If a mailbox interrupt has been received, the mailbox interrupt indicates the severity of the uncorrected error. If processor 140 has received a mailbox interrupt, the decision at decision block 568 is "yes." Otherwise, the decision at decision block 568 is "no." If the decision at decision block 568 is "no," then in block 558 processor 140 waits to receive either a mailbox interrupt or a SoC fault aggregator signal. If the decision at decision block 568 is "yes," processor 140 proceeds to decision block 570.

At decision block 570, processor 140 (see FIGS. 1, 2, and 4) determines whether to read mailbox 156. This determination may be based at least in part on the severity of the uncorrected errors. For example, processor 140 may determine not to read mailbox 156 if the severity of the uncorrected errors is equal to or greater than a threshold (e.g., 7) and may determine to read mailbox 156 if the severity of the corrected errors is below the threshold. If the determination at decision block 570 is "yes," then at block 572, processor 140 reads mailbox 156. Processor 140 then proceeds to block 573. If the determination at decision block 570 is "no," processor 140 proceeds to block 573.

In decision block 573, processor 140 determines whether to take one or more corrective actions. If the answer at decision block 573 is "yes," then in block 574, processor 140 takes corrective action, such as applying the vehicle brakes. Processor 140 then proceeds to block 575.

If the determination at decision block 573 is "no", the processor 140 proceeds to decision block 575. At decision block 575, the processor 140 determines whether to notify the external system 404. If the determination at decision block 575 is "yes", at block 576, the processor 140 notifies the external system 404 and proceeds to block 578. If the determination at decision block 575 is "no", the processor 140 proceeds to block 578.

In block 578, the processor 140 sends a mailbox interrupt to the mailbox 156 and/or clears the uncorrected error, for example, by unsetting the status bit "BT2". Optionally, the processor 140 may write fault information to the mailbox 156. Before the processor 140 clears the uncorrected error from the SI fault aggregator 142, the processor 140 may wait for notification from the processor 150 that the fault corresponding to the uncorrected error has been cleared from the particular SoC fault aggregator. The method 550 then ends. The mailbox interrupt may be received by the processor 150 and used in decision block 547 (see FIG. 5B) in determining whether the processor 150 should clear the fault corresponding to the uncorrected error. The processor 150 may optionally read the fault information written by the processor 140 to the mailbox 156 before making this determination.

FIG. 5D is a flow diagram illustrating a method 580 that the SI 110 (see FIGS. 1, 2, 4, 8, and 10) may use to process a SoC fault aggregator signal, according to some embodiments of the present disclosure. Now, referring to FIG. 5D, each block of the method 580 described herein includes a computing process that may be performed using any combination of hardware, firmware, and/or software. For example, various functions may be performed by a processor (e.g., processor 140 shown in FIGS. 1, 2, and 4) executing instructions (e.g., instructions 149 shown in FIGS. 1, 2, and 4) stored in a memory (e.g., volatile memory 146 shown in FIGS. 1, 2, and 4). At least a portion of the method 580 may also be embodied as computer usable instructions stored on a computer storage medium. The method 580 may be provided by a standalone application, a service or a host service (standalone or in combination with another host service), or a plug-in to another product, to name a few examples. Also, the method 580 is described with respect to the vehicle-mounted platform 100 of FIG. 1 as an example. However, the method 580 may additionally or alternatively be performed by any one system or any combination of systems, including but not limited to those described herein.

For ease of explanation, the method 580 is described as being performed by the SI fault aggregator 142 (see FIGS. 1, 2, and 4), the processor 140 (see FIGS. 1, 2, and 4), and the SoC error handling circuit 422 (see FIG. 4). The SoC error handling circuit 422 may be implemented as a component of the SI fault aggregator 142. Referring to FIG. 5D, in a first block 582, the SI fault aggregator 142 (see FIGS. 1, 2, and 4) receives a SoC fault aggregator signal that sets a status bit "BT3".

As shown by the dashed arrow in FIG. 5D, when the SI fault aggregator 142 (see FIGS. 1, 2, and 4) receives the SoC fault aggregator signal, the SoC error handling circuit 422 (see FIG. 4) of the SI 110 may automatically proceed to block 584 and automatically transmit a SoC error signal including the SoC error to the external system 404 (see FIG. 4) via the connection 406 (see FIG. 4). Alternatively, the SoC error handling circuit 422 may proceed to block 586 and start the SoC fault timer 424 (see FIG. 4). The SoC fault timer 424 may cause a delay between when the SoC fault aggregator signal is received and when the external system 404 is notified. While the SoC fault timer 424 is running, the processor 140 may take one or more corrective actions. If the corrective action is successful, processor 140 may clear the uncorrected error by unsetting status bit "BT2" and clear the SoC fault aggregator error by unsetting status bit "BT3". Clearing the SoC fault aggregator error stops SoC fault timer 424. Before processor 140 clears the uncorrected error from SI fault aggregator 142, processor 140 may wait for notification from processor 150 that the fault corresponding to the uncorrected error has been cleared from the particular SoC fault aggregator.

After the SoC fault timer 424 is started, in decision block 588, the SoC error processing circuit 422 determines whether the SoC fault timer 424 indicates that the fourth predetermined time has elapsed. If the SoC fault timer 424 indicates that the fourth predetermined time has elapsed and the SoC fault aggregator error has not been cleared, the determination in decision block 588 is "yes." On the other hand, if the SoC fault aggregator error is cleared before the SoC fault timer 424 indicates that the fourth predetermined time has elapsed, the determination in decision block 588 is "no."

If the determination at decision block 588 is "no," then at block 590 the SoC error handling circuit 422 waits for the SoC fault timer 424 to indicate that the fourth predetermined time has elapsed. On the other hand, if the determination at block 588 is "yes," then at block 584 the SoC error handling circuit 422 transmits a SoC error signal via connection 406 (see FIG. 4) to the external system 404 (see FIG. 4) including a SoC error indicating that the first uncorrected error has not been cleared and that the SoC fault aggregator error is asserted. The SoC fault timer 424 may automatically stop and/or reset when the SoC error is sent. Alternatively, the SoC error handling circuit 422 may reset the SoC fault timer 424, or the SoC fault timer 424 may simply expire without the SoC error handling circuit 422 taking any action.

After the SI fault aggregator 142 (see FIGS. 1, 2, and 4) receives the SoC fault aggregator signal, in block 592, the SI fault aggregator 142 may send an interrupt to the processor 140. In block 594, the processor 140 triages the first uncorrected error. In decision block 595, the processor 140 determines whether to take one or more corrective actions. If the processor 140 determines to take one or more corrective actions, the decision in decision block 595 is "yes." Otherwise, the decision in decision block 595 is "no." If the decision in decision block 595 is "no," the processor 140 proceeds to block 596 and takes no action. On the other hand, if the decision in decision block 595 is "yes," in block 597, the processor 140 takes corrective actions.

Next, in block 598, the processor 140 sends a mailbox interrupt to the mailbox 156 and/or clears the SoC fault aggregator error, for example by unsetting the status bit "BT3" and clearing the uncorrected error by unsetting the status bit "BT2". Clearing the SoC fault aggregator error stops the SoC fault timer 424. The mailbox interrupt sent to the mailbox 156 may indicate that the uncorrected error has been cleared and/or that the processor 140 has taken corrective action in block 597. Optionally, the processor 140 may write the fault information to the mailbox 156. Before the processor 140 clears the SoC fault aggregator error and the uncorrected error from the SI fault aggregator 142, the processor 140 may wait for notification from the processor 150 that the fault corresponding to the uncorrected error has been cleared from the particular SoC fault aggregator. The method 580 then ends. The mailbox interrupt is received by processor 150, which can clear the fault corresponding to the uncorrected error. Processor 150 can optionally read the fault information written by processor 140 to mailbox 156 before clearing the fault.

5A-5D, the vehicle SoC 104 includes a processor 150. In at least some embodiments, the processor 150 may be omitted. In such embodiments, the method 540 is not performed. For each fault, the particular SoC fault aggregator generates and sends a SoC fault aggregator error to the SI fault aggregator 142 (blocks 518 and 532). Since the processor 150 is not present, a mailbox interrupt is not sent to the interrupt controller 141, and thus the processor 140 waits for a SoC fault aggregator signal before the processor 140 operates (block 558 of FIG. 5C). Then, when a SoC fault aggregator error is received (block 582 of FIG. 5D), the SI 110 goes to other components 160 to triage (block 594 of FIG. 5D) each corrected and uncorrected error received in the method 550 (see FIG. 5C). If the triage is successful, the processor 140 takes corrective action (block 597 of FIG. 5D). On the other hand, if the triage is unsuccessful, the processor 140 takes no action (block 596 of FIG. 5D). This causes the SoC error handling circuit 422 to send a SoC error (without software intervention) (block 584 of FIG. 5D) after the SoC fault timer 424 expires. The SoC error is notified to the external system 404 (e.g., the optional external control unit 106, one or more external microcontrollers, one or more external agents, etc.), allowing the external system 404 to return the vehicle platform 100 (see FIG. 1) to a safe state.

6A-6C show example actions that the SI 110 may take when the SI 110 is notified of a particular fault by at least one of a corrected error signal, an uncorrected error signal, or a SoC fault aggregator signal. FIG. 6A shows an example signal timing diagram of signals transmitted and received by the processor 140 after a low severity uncorrected error (e.g., minimum value) is asserted, according to some embodiments of the present disclosure. Lines 612A-618A in FIG. 6A represent the uncorrected error signal, the mailbox interrupt signal, the SoC fault aggregation signal, and the SoC error signal, respectively. The uncorrected error signal, the mailbox interrupt signal, the SoC fault aggregation signal, and the SoC error signal are synchronized with a clock signal represented by line 610A. The clock signal represented by line 610A is generated based on a second (SI) clock 114 (see FIG. 1) in the SI domain.

Line 612A represents an uncorrected error signal conducted by uncorrected error signal conductor 412 (see FIG. 4) to SI fault aggregator 142. A portion 622A of line 612A represents an assertion of an uncorrected error. After receiving the uncorrected error signal (e.g., block 552 of FIG. 5C), SI fault aggregator 142 sends an interrupt to processor 140 (e.g., block 566 of FIG. 5C).

Next, in FIG. 6A, interrupt controller 141 receives a mailbox interrupt (decision block 568 of FIG. 5C is determined to be "yes"). A portion 626A of line 614A represents a mailbox interrupt (sent by processor 150) indicating the severity of an uncorrected error. Because the mailbox interrupt indicates that the severity of the particular fault is low, processor 140 decides to access mailbox 156 (e.g., decision block 570 of FIG. 5C is determined to be "yes") and reads the contents of mailbox 156 (e.g., block 572 of FIG. 5C). If mailbox 156 contains fault information (created by processor 150) indicating that the particular fault has been cleared, processor 140 clears the particular fault in SI fault aggregator 142 (e.g., block 578 of FIG. 5C). If this occurs before the corrected error timer 420U expires, the SoC fault aggregator 152 does not assert a SoC fault aggregator error (e.g., block 529 of FIG. 5A).

On the other hand, if the contents of mailbox 156 do not indicate that processor 150 has cleared the particular fault, processor 140 may decide to take one or more corrective actions (e.g., a "yes" determination at decision block 573 of FIG. 5C). If the corrective action (e.g., taken at block 574 of FIG. 5C) is successful, processor 140 may notify processor 150 to deassert the error (or clear the fault). For example, processor 140 may send a mailbox interrupt to processor 150 and/or write fault information to mailbox 156. After processor 150 receives this notification and deasserts the error, processor 150 notifies processor 140 that the error has been deasserted (e.g., via an uncorrected error signal, a mailbox interrupt, and/or fault information stored in mailbox 156). After receiving this notification, processor 140 may clear the error by, for example, unsetting status bit "BT2" (e.g., block 578 of FIG. 5C). A portion 624A of line 612A represents the deassertion of the uncorrected error after processor 140 reads mailbox 156 and takes corrective action. Curved arrow 628A represents the delay between when processor 140 receives the mailbox interrupt and when processor 140 deasserts the error (or clears the fault).

If the corrective action is successful, the processor 140 may send a mailbox interrupt to the mailbox 156 indicating that the processor 140 has cleared the particular fault (e.g., block 578 of FIG. 5C). Optionally, the processor 140 may write the fault information to the mailbox 156. The processor 150 receives the mailbox interrupt, determines that the particular fault has been corrected by the processor 140 (e.g., the determination of decision block 547 is "yes"), and clears the particular fault from the SoC fault aggregator 152 (e.g., block 549 of FIG. 5B). If this occurs before the uncorrected error timer 420U expires, the SoC fault aggregator 152 does not assert a SoC fault aggregator error (e.g., block 529 of FIG. 5A). Thus, the SoC fault aggregator 152 monitors a particular fault to ensure that it has been handled by one of the processors 140 and 150, and when the particular fault has not been cleared before the uncorrected error timer 420U expires, the SoC fault aggregator 152 notifies the SoC error handling circuit 422. As described above, after the processor 150 deasserts the error, the processor 150 notifies the processor 140 that the error has been deasserted (e.g., via an uncorrected error signal, a mailbox interrupt, and/or fault information stored in the mailbox 156), and the processor 140 can clear the error in the SI fault aggregator 142.

Line 616A represents the SoC fault aggregation signal, indicating that the SoC fault aggregation error was not asserted. Thus, the uncorrected fault was cleared before the uncorrected error timer 420U expired.

Line 618A represents a SoC error signal that may be sent to external system 404 (e.g., optional external control unit 106, one or more external microcontrollers, one or more external agents, etc.) via connection 406. Because the uncorrected error was handled and the SoC fault aggregation error was not asserted, line 618A indicates that SI 110 does not notify external system 404 of the uncorrected error (e.g., decision block 575 is "no").

FIG. 6B illustrates an example signal timing diagram of signals transmitted and received by processor 140 after a high severity uncorrected error (e.g., maximum value) is asserted, according to some embodiments of the present disclosure. Lines 612B-618B in FIG. 6B represent an uncorrected error signal, a mailbox interrupt signal, a SoC fault aggregation signal, and a SoC error signal, respectively. The uncorrected error signal, the mailbox interrupt signal, the SoC fault aggregation signal, and the SoC error signal are synchronized with a clock signal represented by line 610B. The clock signal represented by line 610B is generated based on a second (SI) clock 114 (see FIG. 1) in the SI domain.

Line 612B represents an uncorrected error signal conducted by uncorrected error signal conductor 412 (see FIG. 4) to SI fault aggregator 142. A portion 622B of line 612B represents an assertion of an uncorrected error. After receiving the uncorrected error signal (e.g., block 552 of FIG. 5C), SI fault aggregator 142 sends an interrupt to processor 140 (e.g., block 566 of FIG. 5C).

Next, in FIG. 6B, the interrupt controller 141 receives a mailbox interrupt (e.g., decision block 568 of FIG. 5C is determined to be "yes"). A portion 624B of the line 614B represents the mailbox interrupt, which indicates that the first uncorrected error has a high severity (e.g., 7). Because the mailbox interrupt indicates a high severity of the particular fault, the processor 140 determines not to access the mailbox 156 (e.g., decision block 570 of FIG. 5C is determined to be "no"). For example, the processor 140 may determine that it is too dangerous to access other components 160 of the vehicle SoC 104, and doing so may adversely affect the SI 110. In FIG. 6B, the processor 140 also determines not to take one or more corrective actions (e.g., decision block 573 of FIG. 5C is determined to be "no"). In FIG. 6B, the uncorrected error is not deasserted because the SI 110 is unable to take one or more corrective actions.

However, the processor 140 decides to notify the external system 404 (see FIG. 4) by sending a SoC error in the SoC error signal (e.g., decision block 575 of FIG. 5C is "yes"). The processor 140 then sends the SoC error signal (e.g., block 576 of FIG. 5C). Thus, in FIG. 6B, if the severity of the fault is high (e.g., maximum), the SI 110 may decide not to access the vehicle SoC 104, not to take corrective action, and instead notify the external system 404. Line 618B represents the SoC error signal sent by the SI 110 to the external system 404, and a portion 626B of line 618B represents the assertion of the SoC error. Line 616B represents the SoC fault aggregation signal, not yet indicating that the SoC fault aggregation error is asserted. Thus, the SI 110 recognizes that an uncorrected error is not being handled and decides to notify the external system 404 before the SoC fault aggregation error is asserted.

FIG. 6C illustrates an example signal timing diagram of signals transmitted and received by the processor 140 after an uncorrected error (e.g., maximum value) is asserted, but the SI 110 has not received a mailbox interrupt, according to some embodiments of the present disclosure. Lines 612C-618C in FIG. 6C represent the uncorrected error signal, the mailbox interrupt signal, the SoC fault aggregation signal, and the SoC error signal, respectively. The uncorrected error signal, the mailbox interrupt signal, the SoC fault aggregation signal, and the SoC error signal are synchronized with a clock signal represented by line 610C. The clock signal represented by line 610C is generated based on a second (SI) clock 114 (see FIG. 1) in the SI domain.

Line 612C represents an uncorrected error signal conducted by uncorrected error signal conductor 412 (see FIG. 4) to SI fault aggregator 142. A portion 622C of line 612C represents an assertion of an uncorrected error. After receiving the uncorrected error signal (e.g., block 552 of FIG. 5C), SI fault aggregator 142 sends an interrupt to processor 140 (e.g., block 566 of FIG. 5C).

In FIG. 6C, line 614C does not indicate that a mailbox interrupt has been received. Thus, in this example, interrupt controller 141 does not receive a mailbox interrupt (e.g., decision block 568 of FIG. 5C is determined to be "no"). This may occur, for example, if processor 150 is unable to complete triage of the uncorrected error (e.g., block 542 of FIG. 5B) and processor 150 is unable to send a mailbox interrupt (decision block 543 of FIG. 5C is determined to be "yes") (e.g., block 544 of FIG. 5B). Thus, processor 140 waits to receive either a mailbox interrupt or a SoC fault aggregator error, whichever occurs first (e.g., block 558 of FIG. 5C).

Line 628C represents a third predetermined time and indicates that the uncorrected error timer 420U has expired. The uncorrected error timer 420U can expire because neither the processor 140 nor the processor 150 was able to clear the first uncorrected error (e.g., the determination of decision block 530 of FIG. 5A is "yes"). This causes the particular one of the SoC fault aggregators 152 that sent the uncorrected error signal to the SI 110 and the interrupt to the processor 150 to send a SoC fault aggregator signal to the SI fault aggregator 142 via the SoC fault aggregator signal conductor 414 (e.g., block 532 of FIG. 5A). The SI fault aggregator 142 receives the SoC fault aggregator signal (e.g., block 582 of FIG. 5D). A portion 624C of line 616C represents an SI fault aggregator error sent by a particular SoC fault aggregator to SI 110. Curved arrow 630C represents the delay between when SI 110 receives the uncorrected error and when SI 110 receives the SI fault aggregator error.

After receiving the SI fault aggregator signal (e.g., block 582 of FIG. 5D), the SI fault aggregator 142 sends an interrupt to the processor 140 (e.g., block 592 of FIG. 5D). The processor 140 may then triage the first uncorrected error (e.g., block 594 of FIG. 5D) to determine whether to take corrective action. If the processor 140 is unable to take corrective action (e.g., a "no" determination at decision block 595 of FIG. 5D), the SoC error handling circuit 422 sends a SoC error signal to the external system 404 (e.g., block 584 of FIG. 5C). A portion 626C of the line 612C represents the SoC error sent to the external system 404. In an embodiment using the SoC fault timer 424, the SoC error is sent when the SoC fault timer 424 expires. In FIG. 6C, the line 632C indicates that a fourth predetermined time has elapsed. This means that the SoC fault timer 424 has expired. The curved arrow 634C represents the delay between when the SI 110 receives the SI fault aggregator error and when the SI 110 asserts the SoC error. Thus, the hardware in the SI 110 notifies the external system 404, which attempts to return the vehicle platform 100 to a safe state.

Referring to FIG. 2, as previously described, SI 110 and other components 160 of the automotive SoC 104 share the volatile memory 126. However, SI 110 may operate within a first risk classification level, while other components 160 of the automotive SoC 104 operate within a lower, second risk classification level. For example, SI 110 may operate in ASIL-D, while other components of the automotive SoC, including volatile memory 126 and the communication paths between SI 110 and volatile memory 126 (e.g., interconnect, memory controller, etc.), may operate in ASIL-B.

To allow the SI 110 to share the volatile memory 126 with other components 160 of the on-board SoC 104, a separate dedicated memory area (called a "carve-out" 250) is created in the volatile memory 126 for exclusive use by the SI 110. The carve-out 250 may be invisible to memory management software (e.g., Rich OS memory management software) executed by the main CPU complex 120 (see FIG. 1). The carve-out 250 may be created and configured at boot time and may remain dedicated to the SI 110 for a given boot cycle. For example, the size of the carve-out 250 may be determined by a user-editable software parameter used by software (e.g., executed by the main CPU complex 120) to configure the carve-out 250. The carve-out 250 may be divided into a first subsection 252 (see FIG. 8) and a second subsection 254 (see FIG. 8). SI 110 may access carve-out portion 250 via a communication path operating at a first risk classification level, and any access by SI 110 to carve-out portion 250 via that communication path may be subject to security authorization checks as described below.

SI 110 includes an error detection block 272. This block includes hardware that is disposed between other components of SI 110 and carve-out portion 250. Thus, error detection block 272 may be implemented as a component of volatile memory interface 200A. Alternatively, error detection block 272 may be disposed between processor 140 and volatile memory interface 200A. In such an embodiment, one or more signal conductors (e.g., wires, signal traces, etc.) may connect error detection block 272 to each of processor 140 and volatile memory interface 200A.

The hardware of the error detection block 272 may include a code generation sub-block 273 (see FIG. 8). The code generation sub-block 273 may be implemented using a Cyclic Redundancy Check (CRC) code generation circuit that generates a CRC code. Alternatively, the error detection block 272 may include other types of code generation circuitry that generates different types of error detection codes, such as an Error Correction Code (ECC). The hardware of the error detection block 272 determines one or more error detection codes (e.g., CRC codes) for data passing through the error detection block 272. For example, the error detection block 272 may determine a separate error detection code for each byte of data passing through the error detection block 272. The error detection code may be calculated based on the byte and the data address of the carve-out portion 250 where the byte is stored. For example, the following Equation 1 may be used to determine the error detection code for a particular byte of data being written to carve-out portion 250:
crc_out _{Byte x} = CRC (Byte Address, Byte Data) Formula 1

In Equation 1 above, the variable "crc_out _{Byte x} " represents an error detection code calculated based on the byte represented by the variable "Byte Data" and the data address represented by the variable "Byte Address". In Equation 1, the function "CRC" uses the values of the variables "Byte Data" and "Byte Address" as inputs and outputs the value of the variable "crc_out _{Byte x} ". The output of the function "CRC", if present, may be at least partially calculated by the code generation sub-block 273 (see FIG. 8).

After the error detection code is determined, the error detection block 272 determines the code address of the error detection code (e.g., using an offset). For example, the following Equation 2 may be used to determine the error detection code for a particular byte of data being written to the carve-out portion 250:
crc_out_address=write_address+fixed_offset Formula 2

In the above equation 2, the variable "crc_out_address" represents a code address calculated based on the data address represented by the variable "write_address" in bytes and the offset represented by the variable "fixed_offset". As mentioned above, the carve-out portion 250 can be divided into subsections, with a first subsection 252 (see FIG. 8) storing data and a second subsection 254 (see FIG. 8) storing error detection code. Thus, the data address represented by the variable "Byte Address" in the above equation 1 can be placed in the first subsection 252, and the code address represented by the variable "write_address" in the above equation 2 can be placed in the second subsection 254. In such an embodiment, the value of the variable "fixed_offset" may be equal to the size of the first subsection 252 of the carve-out portion 250 to ensure that the error detection code is stored in the second subsection 254. In this manner, address-based separation is used to separate the data from the error detection code, thereby ensuring that a failure in one of the first subsection 252 and the second subsection 254 does not affect the other subsection.

The error detection block 272 creates a delay (e.g., a few clock cycles) between the storage of data in the data address and the storage of the error detection code in the code address. This delay reduces the likelihood that an event (e.g., a transient event) that adversely affects the data also adversely affects the error detection code. That is, the delay helps provide immunity from common cause failures and transient failures, which helps provide protection from problems such as clock glitches. The error detection block 272 can buffer two or more bytes of data and their corresponding error detection codes before storing them in the carve-out portion 250. The error detection block 272 can then store a byte (e.g., 16 bytes) of data in the first subsection 252, followed by a delay. The error detection block 272 can then store the corresponding error detection code (e.g., 16 bytes) in the second subsection 254.

7, each block of the method 700 described herein includes a process that may be performed using any combination of hardware, firmware, and/or software. For example, the method 700 may be performed by the hardware of the error detection block 272 (see FIGS. 2, 8, and 10). As another non-limiting example, one or more functions may be performed by a processor (e.g., the processor 140 shown in FIGS. 1, 2, and 4) executing instructions (e.g., the instructions 149 shown in FIGS. 1, 2, and 4) stored in a memory (e.g., the volatile memory 146 shown in FIGS. 1, 2, and 4). In such an embodiment, at least a portion of the method 700 may also be embodied as computer usable instructions stored on a computer storage medium. The method 700 may be provided by a standalone application, a service or a host service (standalone or in combination with another host service), or a plug-in to another product, to name a few. The method 700 is also described with respect to the vehicle platform 100 of FIG. 1, by way of example. However, method 700 may additionally or alternatively be performed by any one system or any combination of systems, including but not limited to those described herein.

7 is a flow diagram illustrating a method 700 for writing data to the carve-out portion 250 (see FIGS. 2, 8, and 10) according to some embodiments of the present disclosure. For ease of explanation, the method 700 is described as being performed by the error detection block 272 (see FIGS. 2, 8, and 10). Before the method 700 begins, an initiator (e.g., the processor 140, the DMA engine 402, etc.) operating in the SI domain transfers a first write command including data and a data address to the error detection block 272. The initiator may write a predetermined size (e.g., 16 bytes) of data to the carve-out portion 250.

7, in a first block 702, the error detection block 272 (see FIGS. 2, 8, and 10) receives a first write command from an initiator, the first write command including data and a data address. In block 704, the error detection block 272 selects a portion of the data and one of the data addresses corresponding to the portion. As a non-limiting example, the error detection block 272 may select a byte of data and a data address corresponding to the selected byte in block 704. In some embodiments, the first write command may include only a single data address (e.g., the first address). Subsequent data addresses may be determined based on the single address (e.g., by adding a predetermined data size to the single data address). Thus, in some embodiments, a data address may be calculated in block 704 for at least a portion of the data.

Next, in block 706, the error detection block 272 determines an error detection code (e.g., using Equation 1 above) for the portion of the data selected in block 704. Next, in block 708, the error detection block 272 transfers a first write command including the portion of the data selected in block 704 and a corresponding data address to the first subsection 252 (see Figures 8 and 10) of the carve-out portion 250 (see Figures 2, 8, and 10). In accordance with the first write command, the carve-out portion 250 stores the portion at the corresponding data address in the first subsection 252.

In the next block 710, the error detection block 272 (see FIGS. 2, 8, and 10) determines the code address of the error detection code determined in block 706 (e.g., using Equation 2 above). In block 712, the error detection block 272 waits (e.g., for several clock cycles) to send the error detection code to the first subsection 252 (see FIGS. 8 and 10) of the carve-out portion 250 (see FIGS. 2, 8, and 10) for storage in the code address. Thus, in block 712, the error detection block 272 creates a delay between the storage of the data in the data address and the storage of the error detection code in the code address. The error detection block 272 may include a write delay timer (not shown) that is used to determine the time that the error detection block 272 waits in block 712. Thus, the error detection block 272 may wait a fifth predetermined time before sending the error detection code to the carve-out portion 250 for storage in the code address. Next, in block 714, the error detection block 272 transfers a second write command, including the error detection code determined in block 706 and the code address determined in block 710, to the second subsection 254 (see FIGS. 8 and 10) of the carve-out portion 250 (see FIGS. 2, 8, and 10). Thus, to store the data, the error detection block 272 accesses the carve-out portion 250 twice, once in block 708 and once in block 714. In accordance with the second write command, the carve-out portion 250 stores the error detection code at the code address of the second subsection 254.

Next, in decision block 716, error detection block 272 (see Figures 2, 8, and 10) determines whether there is any unstored data. If error detection block 272 determines that at least a portion of the data is not stored, the decision at decision block 716 is "yes." Otherwise, the decision at decision block 516 is "no." If the decision at decision block 716 is "yes," error detection block 272 returns to block 704 to select a new portion of the data. On the other hand, if the decision at decision block 716 is "no," error detection block 272 returns to block 702 to receive new data and a new data address.

As previously described, the error detection block 272 may buffer two or more bytes of data and their corresponding error detection codes before storing them in the carve-out portion 250. For example, each of blocks 706-714 may be performed on multiple blocks of data (e.g., selected in block 704). As a non-limiting example, the error detection block 272 may perform block 706 on two or more bytes of data and then send a first write instruction to the carve-out portion 250 in block 708 with the bytes of data and their corresponding data addresses. For example, the error detection block 272 may send the bytes of data with the first data address to the first subsection 252. The first subsection 252 may write the bytes of data to consecutive memory addresses starting from the first data address. Next, in block 710, the error detection block 272 may determine the code addresses of the two or more error detection codes determined in block 706. In block 712, the error detection block 272 creates a delay between writing the byte of data and writing the error detection code to the carve-out portion 250. Then, in block 714, the error detection block 272 forwards a second write instruction including the error detection code and a code address to the second subsection 254. The second subsection 254 writes the error detection code to the code address. Depending on the details of the implementation, the second write instruction may include only the first code address, and the second subsection 254 may write the error detection code to consecutive memory addresses starting from the first code address.

8 shows an example of the error detection block 272 performing the method 700 (see FIG. 7). The SI 110 may include one or more initiators 800, such as the processor 140, the DMA engine 402, each operating within the SI domain. In FIG. 8, the initiator 800 includes an initiator 802 (e.g., the processor 140). The initiator 802 (e.g., the processor 140) may write data of a predetermined size (e.g., 16 bytes) to the carve-out portion 250. In the example shown in FIG. 8, the initiator 802 sends the 16 bytes of data and a first data address to the error detection block 272. The data is stored or represented in FIG. 8 by a 128-bit array named "wdata_in[127:0]" and the first data address is stored or represented in FIG. 8 by a 40-bit array named "Address_0[39:0]". However, depending on the implementation details, the data may have other sizes, and 128 bits are provided as a non-limiting example. Similarly, the first data address may have other sizes, and 40 bits are provided as a non-limiting example. A first byte of data may be stored at the first data address, and the next data address may be identified for the second byte of data by adding one byte to the first data address, and so on. FIG. 8 shows an initiator 802 sending a first write command 804 on signal 806 to the error detection block 272 over a safe island interconnect 808. As previously described, the first write command 804 includes the data and the first data address. The safety island interconnect 808 may be implemented as a bus or the like.

The safety island interconnect 808 provides the first write command 804 to the error detection block 272 (e.g., block 702 of FIG. 7). In the illustrated embodiment, the safety island interconnect 808 provides the first write command 804 on signals 810-0 through 810-15. Each signal includes one of a byte of data and a first data address. In this embodiment, the error detection block 272 generates an error detection code for each byte of data, where the generated error detection code is a CRC code. The error detection block 272 can begin processing the bytes as they are received on signals 810-0 through 810-15 (e.g., block 704 of FIG. 7).

Next, the code generation sub-block 273 determines an error detection code for each byte of data (e.g., block 706 in FIG. 7). In FIG. 8, the signals conveying the error detection codes and the signal 838 conveying the response from the carve-out section 250 related to the error detection code are indicated by dashed arrows. Thus, the code generation sub-block 273 outputs bytes of data on signals 812-0 to 812-15 and corresponding error detection codes on signals 814-0 to 814-15. The (data) signals 812-0 to 812-15 are routed to the first sub-section 252 for storage, and the (code) signals 814-0 to 814-15 are routed to the second sub-section 254 for storage.

At a first time (e.g., identified in FIG. 8 as "Time=T0"), the error detection block 272 sends the data (e.g., in signals 812-0 to 812-15) and the first data address via the volatile memory interface 200A (see FIG. 2) to the first subsection 252 of the carve-out portion 250. That is, the error detection block 272 sends a first write command to the first subsection 252 of the carve-out portion 250 (e.g., block 708 in FIG. 7). The volatile memory interface 200A communicates the first write command to the carve-out portion 250 via the data backbone and memory subsystem 826 of the vehicle SoC 104 (see FIGS. 1, 2, and 4). In FIG. 8, the first write command is sent by the error detection block 272 to the first subsection 252 on signal 824.

The first subsection 252 writes data to memory by storing a first byte (represented as "Data0" in FIG. 8) at a first data address (represented as "Address_0" in FIG. 8) and writing subsequent bytes to subsequent data addresses after the first data address. This write occurs at a first time, represented as "Time=T0" in FIG. 8. The first subsection 252 then sends a response signal 828 to the initiator 802 confirming that the data has been stored. The response signal 828 is sent by the first subsection 252 to the data backbone and memory subsystem 826, which forwards the response signal 828 to the volatile memory interface 200A (see FIG. 2). When the volatile memory interface 200A is unlocked, the volatile memory interface 200A transfers the response signal 828 to the first (data) buffer 820.

The first (data) buffer 820 reorders the "data write completion responses" received in the response signal 828 from the carve-out section 250. For example, the error detection block 272 can send a pair of write commands A and B to the carve-out section 250 (e.g., in the first write command sent in block 708 of FIG. 7). Write command B is sent by the error detection block 272 after write command A. After the carve-out section 250 writes the data included in the write commands A and B, the carve-out section 250 sends the first and second data write completion responses to the error detection block 272. However, the second data write completion response received for the write command B may arrive at the error detection block 272 before the first data write completion response for the write command A. In this case, the first (data) buffer 820 stores the second data write completion response, waits for the first data write completion response, sends the first data write completion response when it arrives, and sends the second data write completion response after the first data write completion response. Thus, the first (data) buffer 820 places the data write completion responses in the expected order in the response signal 828.

The first (data) buffer 820 forwards the response signal 828 to the safe island interconnect 808, which forwards the response signal 828 to the initiator 802. At this point, in this example, the data (e.g., 16 bytes) has been written to the first subsection 252 in the first single write operation.

The error detection block 272 also determines a first code address based on the first data address (e.g., block 710 of FIG. 7). In FIG. 8, the first code address is calculated by adding 16 MegaBytes (MB) to the first data address. However, depending on the details of the implementation, the offset may have other sizes, and 16 MB is provided as an example. Additionally, the location of the first code address may be determined using other methods and/or calculations.

The error detection block 272 waits (e.g., block 712 in FIG. 7) until a second time (e.g., identified in FIG. 8 as “Time=T1”), which is different from the first time and the second time. At the second time, the error detection block 272 sends the error detection code and the first code address to the second subsection 254 of the carve-out portion 250 via the volatile memory interface 200A (see FIG. 2). That is, the error detection block 272 sends a second write command to the second subsection 254 of the carve-out portion 250 (e.g., block 714 in FIG. 7). The volatile memory interface 200A communicates the second write command to the carve-out portion 250 via the data backbone and memory subsystem 826 of the vehicle SoC 104 (see FIGS. 1, 2, and 4). In FIG. 8, the second write command is sent by the error detection block 272 to the second subsection 254 on signal 834.

The second subsection 254 writes the error detection code to the memory by storing a first error detection code (represented as "CRC0" in FIG. 8) at a first code address (represented as "Address_1" in FIG. 8) and writing subsequent error detection codes at subsequent code addresses after the first code address. The second subsection 254 then sends a response signal 838 to the initiator 802 confirming that the error detection code has been stored. In the embodiment shown in FIG. 8, the response signal 838 is sent by the second subsection 254 to the data backbone and memory subsystem 826, which forwards the response signal 838 to the volatile memory interface 200A (see FIG. 2). When the volatile memory interface 200A is unlocked, the volatile memory interface 200A forwards the response signal 838 to the second (code) buffer 822. The second (code) buffer 822 reorders the "code write completion responses" received in the response signal 838 from the carve-out unit 250. For example, the error detection block 272 determines the first and second error detection codes of the data included in the write instructions A and B, respectively, and sends the first and second error detection codes to the carve-out unit 250 (e.g., in the second write instruction). After the carve-out unit 250 writes the first and second error detection codes to the memory, the carve-out unit 250 sends the first and second code write completion responses to the second (code) buffer 822, respectively. However, the second code write completion response received for the second error detection code may arrive at the error detection block 272 before the first code write completion response for the first error detection code. In this case, the second (code) buffer 822 stores the second code write completion response, waits for the first code write completion response, sends the first code write completion response when it arrives, and sends the second code write completion response after the first code write completion response.

The second (code) buffer 822 may drop the response signal 838. Alternatively, the second (code) buffer 822 may forward the response signal 838 to the safety island interconnect 808, which may forward the response signal 838 to the initiator 802. At this point, in this example, the error detection code (e.g., 16 bytes) has been written to the second subsection 254 in the second single write operation.

The volatile memory interface 200A may include two parallel and optionally dedicated interfaces connecting the error detection block 272 and the volatile memory 126. Data may be sent to a first data address via the first interface, and an error detection code may be sent to a first code address via the second interface. In such an embodiment, the error detection block 272 may send a first write command including data and a first data address (e.g., on signal 824) to the first subsection 252 via the first interface at the same time that the error detection block 272 sends a second write command including the error detection code and the first code address (e.g., on signal 834) to the second subsection 254 via the second interface. Furthermore, the (data) response signal 828 and the (code) response signal 838 may be simultaneously transmitted to the first buffer 820 and the second buffer 822, respectively, via the first and second interfaces, respectively.

When an initiator 802 (e.g., processor 140) of SI 110 wants to read data from carve-out portion 250, SI 110 receives both the data and the error detection code from carve-out portion 250. SI 110 creates a delay between when the data is read from the data address and when the error detection code is read from the code address. This delay reduces the likelihood that an event that affects the data will also affect the error detection code. SI 110 passes the read data through error detection block 272. Error detection block 272 determines the check code of the read data and compares the error detection code to the check code. This comparison can be expressed as Equation 3 below:
CRC_gen(Requested address, Fetched Data)==crc_in _{Byte x} (CRC_address) Formula 3

In Equation 3, the operator "==" indicates whether the expression to the left of the operator "==" is equal to the expression to the right of the operator "==". The variable "Fetched Data" represents at least a portion of the data retrieved in block 906 (e.g., Byte x), the variable "Requested address" represents a data address of the portion of the data, and the variable "CRC_address" represents a code address determined based on the data address of the portion of the data (e.g., Byte x). The function "CRC_gen" uses the values of the variables "Fetched Data" and "Requested address" as inputs, and the function "CRC_gen" outputs a check code for the portion (e.g., Byte x). The function "CRC_gen" may be identical to the function "CRC" in Equation 1 above. The output of the function "CRC_gen", if present, may be at least partially calculated by the code generation sub-block 273 (see FIG. 8). The expression "crc_in _{Byte x} (CRC_address)" represents the error detection code obtained from the code address determined for the portion (e.g., Byte x) using the data address. Thus, Equation 3 determines whether the check code is equal to or matches the error detection code. The error detection block 272 may generate a mismatch error if the check code does not match the error detection code. The error detection block 272 may send the mismatch error to the initiator 802 and the SI fault aggregator 142, which may clear the mismatch error by the safety software implemented by the instructions 149 and executed by the processor 140.

9, each block of the method 900 described herein includes a process that may be performed using any combination of hardware, firmware, and/or software. For example, the method 900 may be performed by the hardware of the error detection block 272 (see FIGS. 2, 8, and 10). As another non-limiting example, one or more functions may be performed by a processor (e.g., the processor 140 shown in FIGS. 1, 2, and 4) executing instructions (e.g., the instructions 149 shown in FIGS. 1, 2, and 4) stored in a memory (e.g., the volatile memory 146 shown in FIGS. 1, 2, and 4). At least a portion of the method 900 may also be embodied as computer usable instructions stored on a computer storage medium. The method 900 may be provided by a standalone application, a service or a host service (standalone or in combination with another host service), or a plug-in to another product, to name a few. The method 900 is also described with respect to the vehicle platform 100 of FIG. 1, by way of example. However, method 900 may additionally or alternatively be performed by any one system or any combination of systems, including but not limited to those described herein.

9 is a flow diagram illustrating a method 900 for reading data from the carve-out section 250 (see FIGS. 2, 8, and 10) according to some embodiments of the present disclosure. For ease of explanation, the method 900 is described as being performed by the error detection block 272 (see FIGS. 2, 8, and 10). Before the method 900 begins, the initiator 802 (see FIG. 8) transfers a first read command including one or more data addresses to the error detection block 272. As a non-limiting example, the first read command may only include a first data address. Referring to FIG. 9, in a first block 902, the error detection block 272 receives a first read command including a data address from the initiator 802. In block 904, the error detection block 272 transfers the first read command to the first subsection 252 and requests the data stored at the data address. If the first read instruction includes only the first data address, the first subsection 252 may read a predetermined amount of data (e.g., 16 bytes) from consecutive memory addresses starting from the first data address. In block 906, the error detection block 272 receives the data stored at the data addresses from the first subsection 252.

Next, in block 908, the error detection block 272 determines (e.g., using Equation 2 above) a code address of an error detection code corresponding to the data. As a non-limiting example, the code address may be determined based at least in part on the data address. For example, in accordance with Equation 2 above, each of the code addresses may be calculated by adding an offset (the value of the variable "fixed_offset") to a corresponding one of the data addresses (the value of the variable "write_address"). Depending on the details of the implementation, the error detection block 272 may only identify a first code address based on the first data address. Next, in block 910, the error detection block 272 waits (e.g., for a few clock cycles) to request the error detection code stored at the code address determined in block 908. Thus, in block 910, the error detection block 272 creates a delay between reading the data and reading the error detection code from the code address. The error detection block 272 may include a read delay timer (not shown) that is used to determine how long the error detection block 272 waits in block 910. Thus, the error detection block 272 may wait a sixth predetermined time before requesting an error detection code from the second section 254.

After waiting, in the next block 912, the error detection block 272 sends a second read instruction to the second subsection 254, including the code addresses determined in block 908, requesting the error detection codes stored at those code addresses. Thus, to read the data, the error detection block 272 accesses the carve-out portion 250 twice, once in block 904 and once in block 912. If the second read instruction includes only the first code address, the second subsection 254 can read a predetermined number of error detection codes (e.g., 16 bytes) from consecutive memory addresses starting from the first code address. In block 914, the error detection block 272 receives the error detection codes stored at the code addresses from the second subsection 254. In block 916, the error detection block 272 determines (e.g., using Equation 1 above) the check code for each of the error detection codes obtained in block 914.

For each error detection code, in decision block 918, the error detection block 272 determines (e.g., using equation 3 above) whether the error detection code matches the check code corresponding to the error detection code. If the error detection code matches its corresponding check code, the decision of decision block 918 is "yes." Otherwise, the decision of decision block 918 is "no." If the decision of decision block 918 is "yes," in block 920, the error detection block 272 transfers the data corresponding to the error detection code to the initiator 802 (see FIG. 8). If the decision of decision block 918 is "no," in block 922, the error detection block 272 generates a mismatch error and sends it to the initiator 802 and the SI fault aggregator 142 (see FIGS. 1, 2, and 4), so that the mismatch error can be cleared by the safety software implemented by the instructions 149 and executed by the processor 140. Optionally, at block 922, the error detection block 272 may attempt to correct the mismatch if the error detection code (e.g., implemented as an ECC) contains information (e.g., bits) that can be used to recover the data. If the error detection block 272 is able to correct the error, the error detection block 272 may omit generating a mismatch error at block 922. After block 920, the error detection block 272 proceeds to block 920 and forwards the data to the initiator 802. The method 900 then ends.

The error detection block 272 can read more than one byte of data and the corresponding error detection code at a time from the carve-out portion 250. For example, each of the blocks 904-914 can be performed on multiple blocks of data. As a non-limiting example, in block 904, the error detection block 272 can send a first read instruction to the first subsection 252 requesting more than one byte of data from a first data address. The first subsection 252 can read bytes of data from consecutive memory addresses starting from the first data address and send the bytes of data to the error detection block 272. The bytes of data are received by the error detection block 272 in block 906. Then, in block 908, the error detection block 272 can determine a code address based on the data address. Depending on the details of the implementation, the error detection block 272 may only identify a first code address based on the first data address. Next, in block 910, the error detection block 272 creates a delay between reading the byte of data and reading the error detection code from the carve-out portion 250. The error detection block 272 can then request the error detection code stored in the carve-out portion 250 for the byte of data obtained in block 906. For example, the error detection block 272 can send a first code address to the second subsection 254. The second subsection 254 can read the error detection codes from consecutive memory addresses starting from the first code address and send the error detection codes to the error detection block 272. The error detection code is received by the error detection block 272 in block 914. The method 900 then continues in block 916.

10 shows an example of the error detection block 272 performing the method 900. In this example, the processor 140 reads 16 bytes of data from the carve-out portion 250, which are stored according to the example shown in FIG. 8. In FIG. 10, the read data is stored or represented by a 128-bit array named "rdata_in[127:0]", and the data is stored starting from a first data address, which is stored or represented by a 40-bit array named "Address_0[39:0]". In FIG. 10, the initiator 802 (e.g., the processor 140) is shown sending a first read command 1004 to the error detection block 272 via the safe island interconnect 808. The safe island interconnect 808 provides the first read command 1004 to the error detection block 272 (e.g., block 902 in FIG. 9).

At a third time (e.g., identified in FIG. 8 as "Time=T3"), the error detection block 272 sends the first data address via the volatile memory interface 200A (see FIG. 2) to the first subsection 252 of the carve-out portion 250. That is, the error detection block 272 transfers the first read command to the first subsection 252 of the carve-out portion 250 (e.g., block 904 in FIG. 9). The volatile memory interface 200A communicates the first read command to the carve-out portion 250 via the data backbone and memory subsystem 826 of the vehicle SoC 104. In FIG. 10, the first read command is sent by the error detection block 272 to the first subsection 252 on signal 1010.

The first subsection 252 reads data from the memory starting with the first byte ("byte 0") at the first data address and reads subsequent bytes from subsequent data addresses after the first data address. The SI 110 can read a predetermined size (e.g., 16 bytes) of data from the carve-out portion 250. The first subsection 252 then sends a response signal 1012 containing the read data to the initiator 802. The response signal 1012 is sent by the first subsection 252 to the data backbone and memory subsystem 826, which forwards the response signal 1012 to the volatile memory interface 200A (see FIG. 2). When the volatile memory interface 200A is unlocked, the volatile memory interface 200A forwards the response signal 1012 to the first (data) buffer 820 (e.g., block 906 in FIG. 9). The data that is read and included in the response signal 1012 automatically indicates data read completion, and may therefore be characterized as a data read completion response. Similar to what the first (data) buffer 820 does for a data write completion response, the first (data) buffer 820 may place the data read completion response in the expected order in the response signal 1012. At this point, in this example, data (e.g., 16 bytes) has been read from the first subsection 252 in a first single read operation and has been placed in the expected order by the first (data) buffer 820.

The error detection block 272 then determines a first code address ("Address_1") based on the first data address (e.g., block 908 in FIG. 9). In FIG. 10, the first code address is calculated by adding (e.g.,) 16 megabytes ("MB") to the first data address ("Address_0").

Next, the error detection block 272 waits (e.g., block 910 in FIG. 9) until a fourth time (e.g., identified in FIG. 10 as "Time=T4"). At the fourth time, the error detection block 272 requests the error detection code stored at the first code address in the second subsection 254 via the volatile memory interface 200A (see FIG. 2). That is, the error detection block 272 sends a second read command to the second subsection 254 of the carve-out portion 250 (e.g., block 912 in FIG. 9). The volatile memory interface 200A communicates the second read command to the carve-out portion 250 via the data backbone and memory subsystem 826 of the vehicle SoC 104. In FIG. 10, the second read command is sent by the error detection block 272 to the second subsection 254 on signal 1014.

The second subsection 254 reads the error detection codes from the memory by reading a first error detection code (e.g., "byte 0") at a first code address and reading subsequent error detection codes from subsequent code addresses after the first code address. In the examples of Figs. 8 and 10, the size of each of the error detection codes is one byte. The second subsection 254 then sends a response signal 1016 containing the error detection code read from the memory to the initiator 802. In Fig. 10, the signal carrying the error detection code and the signal 1014 are indicated by dashed arrows. In the embodiment shown in Fig. 10, the response signal 1016 is sent by the second subsection 254 to the data backbone and memory subsystem 826, which forwards the response signal 1016 to the volatile memory interface 200A (see Fig. 2). Once the volatile memory interface 200A is unlocked, it transfers the response signal 1016 to the second (code) buffer 822 (e.g., block 914 in FIG. 9). The error detection code that is read and included in the response signal 1016 automatically indicates a code read completion. As such, it may be characterized as a code read completion response. Similar to what the second (code) buffer 822 does for a code write completion response, the second (code) buffer 822 may place the code read completion response in the expected order in the response signal 1016. At this point, in this example, the error detection code (e.g., 16 bytes) has been read from the second subsection 254 in a second single read operation and has been placed in the expected order by the second (code) buffer 822.

When the error detection block 272 waits (e.g., block 910 of FIG. 9) until the fourth time (e.g., identified in FIG. 10 as "Time=T4"), the error detection block 272 simply waits a time interval between the first and second read commands. The error detection block 272 may request the error detection code from the second subsection 254 after the error detection block 272 receives the data of the response signal 1012. Alternatively, the error detection block 272 may not wait until it receives the data of the response signal 1012 before requesting the error detection code from the second subsection 254. That is, the fourth time may be determined based on when the first read command is sent, rather than when the response signal 1012 is received.

As previously mentioned, the first (data) buffer 820 can reorder the bytes because the bytes may be out of order in the response signal 1012. Similarly, the second (code) buffer 822 can reorder the error detection codes if they are out of order in the response signal 1016. The first (data) buffer 820 outputs signals 1022-0 to 1022-15, each of which conveys one of the data bytes, and the second (code) buffer 822 outputs signals 1024-0 to 1024-15, each of which conveys one of the error detection codes. Signals 1022-0 to 1022-15 correspond to signals 1024-0 to 1024-15, respectively. The first buffer 820 and the second buffer 822 can route or reorder the signals 1022-0 to 1022-15 and 1024-0 to 1024-15 to place each byte of data in a known location with respect to the error detection code created for the byte. In the example shown in FIG. 10, the bytes conveyed by the signals 1022-0 to 1022-15 are interleaved with the error detection codes conveyed by the signals 1024-0 to 1024-15. Thus, as in FIG. 10, the bytes of data are placed in the locations represented by the shaded blocks b0 to b15, and the error detection codes are placed in the locations represented by the blocks c0 to c15.

Next, code generation sub-block 273 determines a check code (e.g., using Equation 1 above) for each of the bytes of data (e.g., block 916 in FIG. 9). Thus, code generation sub-block 273 receives as input the bytes of data in signals 1022-0 through 1022-15 and the corresponding error detection codes in signals 1024-0 through 1024-15.

For each error detection code, the error detection block 272 determines whether the error detection code matches the check code corresponding to the error detection code (e.g., decision block 918 in FIG. 9). The error detection block 272 indicates whether there is a match in a pass signal 1030 that is forwarded to a logic component 1034, shown in FIG. 10 as being implemented as an AND gate, along with a data signal 1032 that includes the byte of data. If the pass signal 1030 indicates that the error detection code stored for the byte matches the check code created for that byte, the logic component 1034 outputs the byte on a checked data signal 1036 (which includes only the byte of data) and forwards the checked data signal 1036 to the initiator 802. On the other hand, if the pass signal 1030 indicates a mismatch, the logic component 1034 does not forward the byte on the checked data signal 1036 to the initiator 802. Instead, the error detection block 272 may discard the byte and/or replace the byte with information (e.g., zero) indicating that a mismatch occurred. In a non-limiting example, the bit of the byte that generated the mismatch may be set to 0. The checked data signal 1036 is forwarded to the initiator 802 (e.g., block 920 of FIG. 9). The error detection block 272 may generate and send a mismatch error to the initiator 802 (e.g., block 922 of FIG. 9) if the error detection code does not match the check code corresponding to the error detection code. That is, if the path signal 1030 indicates one or more mismatches, the error detection block 272 may generate and send a mismatch error to the initiator 802. Alternatively or additionally, the error detection block 272 may send the mismatch error to the SI fault aggregator 142 as an uncorrected error. Thus, errors that occur in the data or error detection code during storage to and/or retrieval from the carve-out portion 250 may be detected and reported (e.g., as uncorrected errors).

As mentioned above, the volatile memory interface 200A may include two parallel and optionally dedicated interfaces connecting the error detection block 272 and the volatile memory 126. In such an embodiment, the error detection block 272 may send a first read command including a first data address (e.g., in signal 1010) to the first subsection 252 via the first interface at the same time that the error detection block 272 sends a second read command including a first code address (e.g., in signal 1014) to the second subsection 254 via the second interface. Furthermore, the data read from the first subsection 252 (e.g., and transmitted in response signal 1012) and the error detection code read from the second subsection 254 (e.g., and transmitted in response signal 1016) may be transmitted simultaneously via the first and second interfaces, respectively, to the first buffer 820 and the second buffer 822.

2, the error detection block 272 may include or be connected to at least one transaction timer, such as an egress timer 274 and an ingress timer 276, that limit the amount of time the error detection block 272 must read data from and/or write data to the carve-out portion 250. The egress timer 274 and/or the ingress timer 276 may start automatically whenever an access passes through the error detection block 272. For example, the ingress timer 276 may start whenever data passes between the error detection block 272 and the initiator 802 (e.g., the processor 140), and the egress timer 274 may start whenever data passes between the error detection block 272 and the SoC domain (e.g., the carve-out portion 250). Ingress timer 276 may be useful for monitoring the functionality of error detection block 272 and/or for providing a backup function for egress timer 274 (e.g., if egress timer 274 is not functioning properly).

During a write operation, when the initiator 802 passes data to the error detection block 272 to write to the carve-out portion 250 (e.g., at block 702 in FIG. 7), the ingress timer 276 may be started. Thereafter, when the data leaves the error detection block 272 and/or the SI domain (e.g., at block 708 in FIG. 7), the egress timer 274 may be started. The egress timer 274 may be stopped or reset by the error detection block 272 when a response (e.g., response signal 828 shown in FIG. 8) is received from the carve-out portion 250. The ingress timer 276 may be stopped or reset by the error detection block 272 when a response (e.g., response signal 828 shown in FIG. 8) is forwarded to the initiator 802 (see FIG. 8). If the egress timer 274 indicates that the time has elapsed beyond the first threshold time and the error detection block 272 indicates that no response has been received, this means that the initiator 802 has not received a response (e.g., the response signal 828 shown in FIG. 8) from the carve-out portion 250, and the initiator 802 (e.g., the processor 140) generates an egress timeout error. If the ingress timer 276 indicates that the time has elapsed beyond the second threshold time and the error detection block 272 indicates that no response has been sent to the initiator 802, this means that the initiator 802 has not received a response from the carve-out portion 250, and the initiator 802 generates an ingress timeout error.

During a read operation, the ingress timer 276 may be started when the error detection block 272 receives a read request from the initiator 802 (e.g., at block 902 of FIG. 9). The egress timer 274 may then be started when the error detection block 272 requests the data stored at the first data address from the carve-out portion 250 (e.g., at block 904 of FIG. 9). The egress timer 274 may be stopped or reset when the error detection block 272 receives the data from the carve-out portion 250 (e.g., at block 906 of FIG. 9). The egress timer 276 may then be stopped or reset when the error detection block 272 forwards the data to the initiator 802 (e.g., at block 920 of FIG. 9). If the egress timer 274 indicates that the first threshold time has elapsed and the error detection block 272 has not received data from the carve-out portion 250, this means that the initiator 802 has not received data from the error detection block 272 (e.g., in the checked data signal 1036 shown in FIG. 10), and the initiator 802 generates an egress timeout error. If the ingress timer 276 indicates that the second threshold time has elapsed and the error detection block 272 has not sent data to the initiator 802, this means that the initiator 802 has not received data from the carve-out portion 250, and the initiator 802 generates an ingress timeout error.

11 is a block diagram illustrating an error notification generated by the error detection block 272 (see FIGS. 2, 8, and 10) when the error detection block 272 includes or is connected to an egress timer 274 and an ingress timer 276 (see FIG. 2) according to some embodiments. In FIG. 11, an initiator 802 (see FIGS. 8 and 10) sends a signal 1102 including either a first write command 804 (see FIG. 8) or a first read command 1004 (see FIG. 10) to the error detection block 272. As previously described, the egress timer 274 may start during a write operation when data leaves the error detection block 272 and/or the SI domain, and the egress timer 274 may start during a read operation when the error detection block 272 requests data stored at a first data address from the carve-out portion 250. Block 1104 indicates that the egress timer 274 has timed out. The egress timer 274 may time out, for example, if the error detection block 272 does not receive a response (e.g., response signal 828 shown in FIG. 8) from the carve-out portion 250 during a write operation and the time has exceeded a first threshold time. As another non-limiting example, the egress timer 274 may time out if the error detection block 272 does not receive data (e.g., in response signal 1012 shown in FIG. 10) from the error detection block 272 during a read operation and the time has exceeded a first threshold time. When the egress timer 274 times out, the initiator 802 (e.g., processor 140) generates an egress timeout error 1106 and forwards the egress timeout error 1106 to the error logger 1108. On the other hand, if the egress timer 274 has not timed out, the egress timer 274 may be stopped or reset. This may occur if the error detection block 272 receives a response (e.g., response signal 828) from the carve-out portion 250 during a write operation, or receives data (e.g., in response signal 1012) from the carve-out portion 250 during a read operation before the first threshold time has elapsed.

As previously mentioned, the ingress timer 276 may start during a write operation when the initiator 802 passes data to the error detection block 272 to write to the carve-out portion 250 (e.g., at block 702 of FIG. 7). Alternatively, the ingress timer 276 may start during a read operation when the error detection block 272 receives a read request from the initiator 802 (e.g., at block 902 of FIG. 9). Thus, the ingress timer 276 (see FIG. 2) may start when the signal 1102 includes a first read instruction 804 (see FIG. 8) or a first read instruction 1004 (see FIG. 10) that is received by the error detection block 272 (see FIGS. 2, 8, and 10). Block 1114 indicates that the ingress timer 276 has timed out. The ingress timer 276 may time out, for example, if more than the second threshold time has elapsed and the initiator 802 (see FIG. 8) has not received a response (e.g., response signal 828 shown in FIG. 8) from the carve-out 250 during a write operation. As another non-limiting example, the ingress timer 276 may time out if more than the second threshold time has elapsed and the initiator 802 has not received data (e.g., checked data signal 1036 shown in FIG. 10) from the carve-out 250 during a read operation. If the ingress timer 276 times out, the initiator 802 generates an ingress timeout error 1116 and forwards the ingress timeout error 1116 to the error logger 1108. On the other hand, if the ingress timer 276 has not timed out, the ingress timer 276 may be stopped or reset. This can occur when the error detection block 272 transfers a response (e.g., response signal 828) to the initiator 802 during a write operation, or when the error detection block 272 transfers data (e.g., checked data signal 1036) to the initiator 802 during a read operation.

Block 1124 indicates that the code generation sub-block 273 (see FIGS. 2, 8, and 10) of the error detection block 272 (see FIGS. 2, 8, and 10) may generate a code generation/check error 1126 indicating that an error occurred during generation of the error detection code or check code. In some embodiments, the code generation/check error 1126 may be used to indicate that a mismatch occurred. As a non-limiting example, if the signal 1102 includes a first write instruction 804, the code generation sub-block 273 may generate a code generation error while generating the error detection code. As another non-limiting example, if the signal 1102 includes a first read instruction 1004, the error detection block 272 may generate a mismatch error and/or a code generation error while generating the check code, which is forwarded to the error logger 1108 as a code generation/check error 1126.

The error logger 1108 can act as a fault aggregator that aggregates the errors 1106, 1116, and 1126 into an error notification 1130, which the error logger 1108 sends to the SI fault aggregator 142.

When the vehicle SoC 104 first boots, the processor 140 of the SI 110 may attempt to prefetch data from the carve-out portion 250. A prefetch may be characterized as a type of unintentional reading of data from the carve-out portion 250. Because the shared volatile memory 126 is volatile, at this point the carve-out portion 250 may store no error detection code or uninitialized data associated with a mismatch error detection code. To prevent the error detection block 272 from generating a mismatch error, the SI 110 (e.g., the processor 140, the DMA engine 402, etc.) may write one or more error detection codes to the carve-out portion 250 for data that the processor 140 prefetches or may prefetch. As a non-limiting example, the SI 110 may write initial data to the carve-out portion 250. This causes the hardware of the error detection block 272 to determine one or more error detection codes of the initial data, each associated with a code address. SI 110 then enables carve-out section 250 to store each error detection code at its associated code address. Thus, during a prefetch operation, the error detection code stored by second subsection 254 corresponds to the data stored in first subsection 252, and error detection block 272 does not generate a mismatch error.

Referring to FIG. 2, SI 110 may turn off code generation sub-block 273 (see FIGS. 2, 8, and 10) and/or error detection block 272 (e.g., using a software register write) if vehicle platform 100 (see FIG. 1) does not require carve-out portion 250. For example, SI 110 may turn off code generation sub-block 273 and/or error detection block 272 if volatile memory 126 is operating at a sufficient risk level for vehicle platform 100.

It should be understood that this and other arrangements described herein are provided by way of example only. Other arrangements and elements (e.g., machines, interfaces, functions, sequences, groupings of functions, etc.) can be used in addition to or instead of those shown, and some elements can be omitted entirely. Furthermore, many of the elements described herein are functional entities that can be implemented as separate or distributed components, or in conjunction with other components, and in any suitable combination and location. Various functions described herein as being performed by entities can be performed by hardware, firmware, and/or software. For example, various functions can be performed by a processor executing instructions stored in memory.

12 is a diagram of an example autonomous vehicle 1200 according to some embodiments of the present disclosure. The autonomous vehicle 1200 (alternatively referred to herein as "vehicle 1200") may include, but is not limited to, a passenger vehicle such as a car, a truck, a bus, a first responder vehicle, a shuttle, an electric or motorized bicycle, a motorcycle, a fire engine, a police vehicle, an ambulance, a boat, a construction vehicle, a submarine, a drone, and/or another type of vehicle (e.g., unmanned and/or capable of accommodating one or more passengers). Autonomous vehicles are generally described in terms of automation levels as defined by the National Highway Traffic Safety Administration (NHTSA), a division of the U.S. Department of Transportation, and the Society of Automotive Engineers (SAE) in their report on autonomous driving. The vehicle 1200 may function according to one or more of the autonomous driving levels Level 2 through Level 5 as defined by the SAE. For example, vehicle 1200 may be capable of partial driving automation (Level 2), conditional automation (Level 3), high automation (Level 4), and/or full automation (Level 5), depending on the embodiment.

Vehicle 1200 may include components such as a chassis, vehicle body, wheels (e.g., 2, 4, 6, 8, 18, etc.), tires, axles, and other components of the vehicle. Vehicle 1200 may include a propulsion system 1250, such as an internal combustion engine, a hybrid power plant, a fully electric engine, and/or another propulsion system type. Propulsion system 1250 may be connected to a drive train of vehicle 1200, which may include a transmission, to enable propulsion of vehicle 1200. Propulsion system 1250 may be controlled in response to receiving a signal from throttle/accelerator 1252.

A steering system 1254, which may include a steering wheel, may be used to guide the vehicle 1200 (e.g., along a desired path or route) when the propulsion system 1250 is operating (e.g., when the vehicle is moving). The steering system 1254 may receive signals from a steering actuator 1256. The steering wheel may be optional for fully automated (Level 5) functionality.

The brake sensor system 1246 may be used to actuate the vehicle brakes in response to receiving signals from the brake actuator 1248 and/or brake sensor.

The controller 1236, which may include one or more CPUs, system-on-chip (SoC) 1204 (FIG. 14), and/or GPUs, may provide signals (e.g., representing commands) to one or more components and/or systems of the vehicle 1200. For example, the controller may send signals to operate vehicle brakes via one or more brake actuators 1248, to operate a steering system 1254 via one or more steering actuators 1256, and/or to operate a propulsion system 1250 via one or more throttle/accelerators 1252. The controller 1236 may include one or more on-board (e.g., integrated) computing devices (e.g., supercomputers) that process sensor signals and may output operational commands (e.g., signals representing commands) to enable autonomous driving and/or assist a human driver in driving the vehicle 1200. The controllers 1236 may include a first controller 1236 for autonomous driving functions, a second controller 1236 for functional safety functions, a third controller 1236 for artificial intelligence functions (e.g., computer vision), a fourth controller 1236 for infotainment functions, a fifth controller 1236 for redundancy in emergency situations, and/or other controllers. In some examples, a single controller 1236 may handle two or more of the above functions, two or more controllers 1236 may handle a single function, and/or any combination thereof.

Controller 1236 may provide signals to control one or more components and/or systems of vehicle 1200 in response to sensor data (e.g., sensor inputs) received from one or more sensors. Sensor data may include, for example, global navigation satellite system sensors 1258 (e.g., global positioning system sensors), RADAR sensors 1260, ultrasonic sensors 1262, LIDAR sensors 1264, inertial measurement units (IMUs), and the like. The information may be received from, but is not limited to, a vehicle speed sensor 1244 (e.g., for measuring the speed of the vehicle 1200), a vibration sensor 1242, a steering sensor 1240, a brake sensor 1246 (e.g., as part of a brake sensor system 1246), and/or other sensor types.

One or more of the controllers 1236 may receive inputs (e.g., represented by input data) from the instrument cluster 1232 of the vehicle 1200 and provide outputs (e.g., represented by output data, display data, etc.) via a Human Machine Interface (HMI) display 1234, an audible annunciator, a speaker, and/or via other components of the vehicle 1200. The outputs may include information such as vehicle speed, speed, time, map data (e.g., HD map 1222 of FIG. 14), position data (e.g., the position of the vehicle 1200 on a map, etc.), direction, the positions of other vehicles (e.g., occupancy grid), information about objects, and the status of objects as perceived by the controllers 1236. For example, the HMI display 1234 may display information regarding the presence of one or more objects (e.g., road signs, caution signs, traffic light changes, etc.) and/or information regarding a driving maneuver that the vehicle has performed, is performing, or will perform (e.g., changing lanes here, taking exit 34B in 3 kilometers (approximately 2 miles), etc.).

The vehicle 1200 further includes a network interface 1224, which may communicate over one or more networks using one or more wireless antennas 1226 and/or a modem. For example, the network interface 1224 may be capable of communication over LTE, WCDMA, UMTS, GSM, CDMA2000, etc. The wireless antenna 1226 may also enable communication between objects (e.g., vehicles, mobile devices, etc.) in the environment using local area networks such as Bluetooth, Bluetooth LE, Z-Wave, ZigBee, etc., and/or low power wide area networks (LPWANs) such as LoRaWAN, SigFox, etc.

As previously mentioned, in at least some embodiments, the vehicle platform 100 (see FIG. 1) may be a component of an autonomous vehicle 1200. In such embodiments, the controller 1236 includes the vehicle SoC 104.

13 is an example of camera positions and fields of view for the example autonomous vehicle 1200 of FIG. 12, according to some embodiments of the present disclosure. The cameras and respective fields of view are one example and are not intended to be limiting. For example, additional and/or alternative cameras may be included and/or the cameras may be located at different locations on the vehicle 1200.

The camera type of the camera may include, but is not limited to, a digital camera that may be adapted for use with components and/or systems of the vehicle 1200. The camera may operate at Automotive Safety Level (ASIL) B and/or another ASIL. The camera type may be capable of any image capture rate, such as 60 frames per second (fps), 120 fps, 240 fps, etc., depending on the embodiment. The camera may be capable of using a rolling shutter, a global shutter, another type of shutter, or a combination thereof. In some examples, the color filter array may include a Red Clear Clear Clear (RCCC) color filter array, a Red Clear Clear Blue (RCCB) color filter array, a Red Blue Green Clear (RBGC) color filter array, a Foveon X3 color filter array, a Bayer sensor (RGGB) color filter array, a monochrome sensor color filter array, and/or another type of color filter array. In some embodiments, a clear pixel camera, such as a camera having a RCCC, RCCB, and/or RBGC color filter array, may be used to increase light sensitivity.

In some instances, one or more of these cameras may be used to perform Advanced Driver Assistance Systems (ADAS) functions (e.g., as part of a redundant or fail-safe design). For example, a multi-function mono camera may be installed to provide features such as lane departure warning, traffic sign assist, and intelligent headlamp control. One or more of these cameras (e.g., all of the cameras) may simultaneously record and provide image data (e.g., video).

One or more of these cameras can be mounted on a mounting assembly, such as a custom designed (3D printed) assembly, to block stray light and reflections from the interior of the vehicle (e.g., reflections from the dashboard reflected in the windshield mirror) that may interfere with the camera's image data capture capabilities. With reference to a side mirror mounting assembly, the side mirror assembly can be custom 3D printed such that the camera mounting plate matches the shape of the side mirror. In some instances, the camera may be integrated into the side mirror. In the case of a side view camera, the camera may be integrated into four pillars at each corner of the cabin.

A camera with a field of view that includes a portion of the environment in front of the vehicle 1200 (e.g., a front camera) may be used for surround view to help identify the path ahead and obstacles, and to provide information essential for generating an occupancy grid and/or determining preferred vehicle paths using one or more controllers 1236 and/or control SoCs. The front camera can be used to perform many of the same ADAS functions as LIDAR, such as emergency braking, pedestrian detection, and collision avoidance. The front camera can also be used for ADAS functions and systems such as Lane Departure Warning (LDW), Autonomous Cruise Control (ACC), and/or other functions such as traffic sign recognition.

A variety of cameras can be used in a front-facing configuration, such as a monocular camera platform including a complementary metal oxide semiconductor (CMOS) color imager. Another example can be a wide-view camera 1270 that can be used to perceive objects (e.g., pedestrians, crossing traffic, or bicycles) coming into view from the periphery. Although only one wide-view camera is shown in FIG. 13, there can be any number of wide-view cameras 1270 in the vehicle 1200. Also, a long-range camera 1298 (e.g., a long-view stereo camera pair) can be used for depth-based object detection, especially for objects for which the neural network has not yet been trained. The long-range camera 1298 can also be used for basic object tracking, as well as object detection and classification.

One or more stereo cameras 1268 may also be included in the front configuration. The stereo camera 1268 may include an integrated control unit including a scalable processing unit that may provide a multi-core microprocessor with integrated programmable logic (e.g., FPGA) and CAN or Ethernet interfaces in a single chip. Such a unit may be used to generate a 3D map of the vehicle's environment, including distance estimates for all points in the image. Another stereo camera 1268 may include a compact stereo vision sensor that may include two camera lenses (one on the left and one on the right) and an image processing chip that may measure the distance from the vehicle to target objects and use the generated information (e.g., metadata) to activate autonomous emergency braking and lane departure warning functions. Other types of stereo cameras 1268 may be used in addition to or instead of those described herein.

Cameras having a field of view that includes portions of the environment beside the vehicle 1200 (e.g., side-view cameras) can be used for surround view to provide information used to create and update the occupancy grid as well as generate side impact collision warnings. For example, surround cameras 1274 (e.g., four surround cameras 1274 shown in FIG. 13) can be positioned around the vehicle 1200. The surround cameras 1274 can include wide-view cameras 1270, fish-eye cameras, 360-degree cameras, and the like. For example, four fish-eye cameras can be positioned at the front, rear, and sides of the vehicle. In another arrangement, the vehicle can use three surround cameras 1274 (e.g., left, right, and rear) and utilize one or more other cameras (e.g., a forward-facing camera) as a fourth surround view camera.

A camera having a field of view that includes a portion of the environment behind the vehicle 1200 (e.g., a rearview camera) can be used for parking assistance, surround view, rear collision warning, and creating and updating an occupancy grid. As described herein, a variety of cameras can be used, including, but not limited to, cameras that are also suitable as front cameras (e.g., long-range and/or mid-range camera 1298, stereo camera 1268, infrared camera 1272, etc.).

14 is a block diagram of an example system architecture of the example autonomous vehicle 1200 of FIG. 12, according to some embodiments of the present disclosure. It should be understood that this and other arrangements described herein are provided by way of example only. Other arrangements and elements (e.g., machines, interfaces, functions, sequences, groupings of functions, etc.) can be used in addition to or instead of those shown, and some elements can be omitted entirely. Furthermore, many of the elements described herein are functional entities that can be implemented as separate or distributed components, or in conjunction with other components, and in any suitable combination and location. Various functions described herein as being performed by entities can be performed by hardware, firmware, and/or software. For example, various functions can be performed by a processor executing instructions stored in a memory.

Each of the components, features, and systems of the vehicle 1200 of FIG. 14 are shown connected via a bus 1202. The bus 1202 may include a Controller Area Network (CAN) data interface (alternatively referred to herein as a "CAN bus"). The CAN is a network within the vehicle 1200 that may be used to help control various features and functions of the vehicle 1200, such as brake application, acceleration, braking, steering, windshield wipers, etc. The CAN bus may be configured to have tens or hundreds of nodes, each with its own unique identifier (e.g., CAN ID). The CAN bus may be read to find steering wheel angle, ground speed, engine Revolutions Per Minute (RPM), button positions, and/or other vehicle status indicators. The CAN bus may be ASIL B compliant.

Although the bus 1202 is described herein as being a CAN bus, this is not intended to be limiting. For example, FlexRay and/or Ethernet can be used in addition to or instead of a CAN bus. Additionally, a single line is used to represent the bus 1202, but this is not intended to be limiting. There may be any number of buses 1202, which may include, for example, one or more CAN buses, one or more FlexRay buses, one or more Ethernet buses, and/or one or more other types of buses using different protocols. In some instances, two or more buses 1202 may be used to perform different functions and/or for redundancy. For example, a first bus 1202 may be used for collision avoidance functions and a second bus 1202 may be used for actuation control. In any instance, each bus 1202 may communicate with any component of the vehicle 1200, and two or more buses 1202 may communicate with the same component. In some examples, each SoC 1204, each controller 1236, and/or each computer in the vehicle may have access to the same input data (e.g., input from sensors in the vehicle 1200) and may be connected to a common bus, such as a CAN bus.

Vehicle 1200 may include one or more controllers 1236, as described herein with respect to FIG. 12. Controller 1236 may be used for a variety of functions. Controller 1236 may be coupled to any of a variety of other components and systems of vehicle 1200 and may be used for control of vehicle 1200, artificial intelligence of vehicle 1200, infotainment of vehicle 1200, etc.

The vehicle 1200 may include a system on chip (SoC) 1204. The SoC 1204 may include a CPU 1206, a GPU 1208, a processor 1210, a cache 1212, an accelerator 1214, a data store 1216, and/or other components and features not shown. The SoC 1204 may be used to control the vehicle 1200 in a variety of platforms and systems. For example, the SoC 1204 may be combined in a system (e.g., the system of the vehicle 1200) with an HD map 1222 that may obtain map refreshes and/or updates via a network interface 1224 from one or more servers (e.g., server 1278 of FIG. 15).

CPU 1206 may include a CPU cluster or CPU complex (also referred to herein as a "CCPLEX"). CPU 1206 may include multiple cores and/or L2 caches. For example, in some embodiments, CPU 1206 may include eight cores in a coherent multiprocessor configuration. In some embodiments, CPU 1206 may include four dual-core clusters, each with its own dedicated L2 cache (e.g., 2 MB L2 cache). CPU 1206 (e.g., a CCPLEX) may be configured to support concurrent cluster operations such that any combination of CPU 1206 clusters may be active at any given time.

CPU 1206 may implement power management capabilities including one or more of the following features: individual hardware blocks may be automatically clock gated when idle to conserve dynamic power; each core clock may be gated when the core is not actively executing instructions by executing WFI/WFE instructions; each core may be independently power gated; each core cluster may be independently clock gated when all cores are clock gated or power gated; and/or each core cluster may be independently power gated when all cores are power gated. CPU 1206 may further implement an enhanced algorithm for managing power states, where allowed power states and expected wake-up times are specified and hardware/microcode determines the optimal power state to enter for the cores, clusters, and CCPLEX. Processing cores may offload work to microcode to support a simplified power state entry sequence in software.

The GPU 1208 may include an integrated GPU (alternatively referred to herein as an "iGPU"). The GPU 1208 may be programmable and efficient for parallel workloads. In some instances, the GPU 1208 may use an extended tensor instruction set. The GPU 1208 may include one or more streaming microprocessors. Each streaming microprocessor may include an L1 cache (e.g., an L1 cache having at least 96 KB of storage capacity) and two or more of the streaming microprocessors may share an L2 cache (e.g., an L2 cache having 512 KB of storage capacity). In some embodiments, the GPU 1208 may include at least eight streaming microprocessors. The GPU 1208 may use a computer-based Application Programming Interface (API). Additionally, GPU 1208 may use one or more parallel computing platforms and/or programming models (e.g., NVIDIA's CUDA).

GPU 1208 may be power optimized for best performance in automotive and embedded use cases. For example, GPU 1208 may be fabricated on Fin Field-Effect Transistors (FinFETs). However, this is not intended to be limiting and GPU 1208 may be fabricated using other semiconductor manufacturing processes. Each streaming microprocessor may incorporate multiple mixed-precision processing cores partitioned into multiple blocks. For example, and without limitation, 64 PF32 cores and 32 PF64 cores may be partitioned into four processing blocks. In such an example, each processing block may be assigned 16 FP32 cores, 8 FP64 cores, 16 INT32 cores, two mixed-precision NVIDIA tensor cores for deep learning matrix operations, an L0 instruction cache, a warp scheduler, a dispatch unit, and/or a 64 KB register file. Streaming microprocessors may also include independent parallel integer and floating point data paths to provide efficient execution of workloads having a mix of computational and addressing computations. Streaming microprocessors may include independent thread scheduling capabilities to allow finer grained synchronization and coordination between parallel threads. Streaming microprocessors may include a combined L1 data cache and shared memory unit to improve performance while simplifying programming.

The GPU 1208 may include a High Bandwidth Memory (HBM) and/or a 16 GB HBM2 memory subsystem to provide a peak memory bandwidth of approximately 900 GB/sec in some instances. In some instances, a Synchronous Graphics Random-Access Memory (SGRAM), such as Graphics Double Data Rate Type Five Synchronous Random-Access Memory (GDDR5), may be used in addition to or instead of the HBM memory.

The GPU 1208 includes unified memory technology, including access counters, to enable more accurate movement of memory pages to the processors that access them most frequently, thereby improving the efficiency of storage ranges shared between processors. In some instances, Address Translation Service (ATS) support can be used to allow the GPU 1208 to directly access the CPU 1206's page tables. In such instances, when the GPU 1208's Memory Management Unit (MMU) experiences a miss, an address translation request can be sent to the CPU 1206. In response, the CPU 1206 can consult its page table for the virtual-to-physical mapping of the address and send the translation back to the GPU 1208. Thus, the unified memory technology can enable a single unified virtual address space for both CPU 1206 and GPU 1208 memory, which simplifies programming of the GPU 1208 and porting of applications to the GPU 1208.

GPU 1208 may also include access counters that can record how frequently GPU 1208 accesses the memory of other processors. The access counters can help ensure that memory pages are moved to the physical memory of the processors that access the pages most frequently.

The SoC 1204 may include any number of caches 1212, including those described herein. For example, the caches 1212 may include an L3 cache that is available to both the CPU 1206 and the GPU 1208 (e.g., connected to both the CPU 1206 and the GPU 1208). The caches 1212 may include a write-back cache that can record line state, such as using a cache coherence protocol (e.g., MEI, MESI, MSI, etc.). Depending on the embodiment, the L3 cache may include 4 MB or more, although smaller cache sizes may be used.

SoC1204 may include an Arithmetic Logic Unit (ALU) that may be utilized in performing processing for any of the various tasks or operations of vehicle 1200, such as processing the DNN. SoC1204 may also include a Floating Point Unit (FPU) or other math or numeric co-processor type for performing mathematical operations within the system. For example, SoC1204 may include one or more FPUs integrated as execution units within CPU1206 and/or GPU1208.

SoC1204 may include one or more accelerators 1214 (e.g., hardware accelerators, software accelerators, or a combination thereof). For example, SoC1204 may include a hardware acceleration cluster, which may include optimized hardware accelerators and/or large on-chip memory. The large on-chip memory (e.g., 4MB of SRAM) may enable the hardware acceleration cluster to speed up neural network and other calculations. The hardware acceleration cluster may be used to complement GPU1208 and offload some of the tasks of GPU1208 (e.g., to free up more cycles of GPU1208 to perform other tasks). As an example, the accelerator 1214 may be used for target workloads that are sufficiently stable to be suitable for acceleration (e.g., perception, Convolutional Neural Networks (CNNs), etc.). The term "CNN" as used herein may include any type of CNN, including region-based or regional convolutional neural networks (RCNNs) and fast RCNNs (e.g., as used for object detection).

The accelerator 1214 (e.g., a hardware acceleration cluster) may include a deep learning accelerator (DLA). The DLA may include one or more tensor processing units (TPUs) that may be configured to provide an additional 10 trillion operations per second for deep learning applications and inference. The TPU may be an accelerator configured and optimized to perform image processing functions (e.g., CNN, RCNN, etc.). The DLA may further be optimized for a specific set of neural network types and floating-point operations, as well as inference. The design of the DLA may provide more performance per millimeter than a general-purpose GPU, greatly exceeding the performance of a CPU. The TPU can perform several functions, including single-instance convolution functions, such as supporting INT8, INT16, and FP16 data types for both features and weights, as well as post-processor functions.

The DLA can quickly and efficiently perform neural networks, particularly CNNs, on the processed or unprocessed data for any of a variety of functions, including, but not limited to, CNNs for object identification and detection using data from camera sensors, CNNs for distance estimation using data from camera sensors, CNNs for emergency vehicle detection and identification using data from microphones, CNNs for face recognition and vehicle owner identification using data from camera sensors, and/or CNNs for security and/or safety related events.

The DLA can perform any function of the GPU 1208, and by using an inference accelerator, for example, a designer can target either the DLA or the GPU 1208 for any function. For example, a designer can centralize CNN processing and floating point operations in the DLA and delegate other functions to the GPU 1208 and/or other accelerators 1214.

The accelerator 1214 (e.g., a hardware acceleration cluster) may include a Programmable Vision Accelerator (PVA), which may alternatively be referred to herein as a computer vision accelerator. The PVA may be designed and configured to accelerate computer vision algorithms for Advanced Driver Assistance Systems (ADAS), autonomous driving, and/or Augmented Reality (AR) and/or Virtual Reality (VR) applications. The PVA may provide a balance of performance and flexibility. For example, each PVA may include, for example and without limitation, any number of Reduced Instruction Set Computer (RISC) cores, Direct Memory Access (DMA), and/or any number of vector processors.

The RISC cores may interact with an image sensor (e.g., an image sensor of any of the cameras described herein), an image signal processor, etc. Each of the RISC cores may include any amount of memory. The RISC cores may use any of a number of protocols, depending on the embodiment. In some instances, the RISC cores may execute a real-time operating system (RTOS). The RISC cores may be implemented using one or more integrated circuit devices, application specific integrated circuits (ASICs), and/or memory devices. For example, the RISC cores may include an instruction cache and/or tightly coupled RAM.

The DMA may enable components of the PVA to access system memory independent of the CPU 1206. The DMA may support any number of features used to provide optimizations to the PVA, including, but not limited to, supporting multi-dimensional addressing and/or circular addressing. In some instances, the DMA may support addressing in up to six or more dimensions (which may include block width, block height, block depth, horizontal block stepping, vertical block stepping, and/or depth stepping).

A vector processor may be a programmable processor that may be designed to efficiently and flexibly execute computer vision algorithm programming and provide signal processing capabilities. In some instances, the PVA may include a PVA core and two vector processing subsystem partitions. The PVA core may include a processor subsystem, a DMA engine (e.g., two DMA engines), and/or other peripherals. The vector processing subsystem operates as the primary processing engine of the PVA and may include a vector processing unit (VPU), an instruction cache, and/or a vector memory (e.g., VMEM). The VPU core may include a digital signal processor, such as a single instruction, multiple data (SIMD), very long instruction word (VLIW) digital signal processor. The combination of SIMD and VLIW can increase throughput and speed.

Each of the vector processors may include an instruction cache and may be coupled to dedicated memory. As a result, in some instances, each of the vector processors may be configured to execute independently of the other vector processors. In other instances, the vector processors included in a particular PVA may be configured to employ data parallelism. For example, in some embodiments, multiple vector processors included in a single PVA may execute the same computer vision algorithm on different regions of an image. In other instances, the vector processors included in a particular PVA may execute different computer vision algorithms simultaneously on the same image, or execute different algorithms on a series of images or portions of an image. In particular, any number of PVAs may be included in a hardware acceleration cluster, and any number of vector processors may be included in each of the PVAs. The PVAs may also include additional error correction code (ECC) memory to increase the overall system security.

The accelerator 1214 (e.g., a hardware acceleration cluster) may include a computer vision network on-chip and SRAM to provide the accelerator 1214 with high bandwidth, low latency SRAM. In some examples, the on-chip memory may include at least 4 MB of SRAM, consisting of, for example and without limitation, eight field configurable memory blocks that may be accessible from both the PVA and DLA. Each pair of memory blocks may include an Advanced Peripheral Bus (APB) interface, configuration circuitry, controllers, and multiplexers. Any type of memory may be used. The PVA and DLA may access the memory through a backbone that provides the PVA and DLA with high speed access to the memory. The backbone may include a computer vision network on-chip that interconnects the PVA and DLA to the memory (e.g., using the APB).

The computer vision network-on-chip may include an interface that determines that both the PVA and DLA provide ready and valid signals before sending any control signals/address/data. Such an interface may provide separate phases and separate channels for transmitting control signals/address/data, as well as burst type communication for continuous data transfer. This type of interface may be compliant with ISO 26262 or IEC 61508 standards, although other standards and protocols may be used.

In some examples, the SoC1204 may include a real-time ray tracing hardware accelerator, such as that described in U.S. Patent Application Publication No. 2012/0133994, filed on Aug. 10, 2018. The real-time ray tracing hardware accelerator may be used to quickly and efficiently determine the location and scale of objects (e.g., in a world model) to generate real-time visualization simulations for RADAR signal interpretation, for acoustic propagation synthesis and/or analysis, for simulation of SONAR systems, for general wave propagation simulation, for comparison against LIDAR data for localization and/or other functions, and/or other uses. In some examples, one or more Tree Traversal Units (TTUs) may be used to perform one or more ray tracing related operations.

The accelerator 1214 (e.g., a hardware accelerator cluster) has a wide range of applications for autonomous driving. The PVA can be a programmable vision accelerator that can be used for key processing stages in ADAS and autonomous vehicles. The capabilities of the PVA make it suitable for algorithm domains that require predictable processing with low power and low latency. That is, the PVA works well with semi-dense or dense regular computations even on small data sets that require predictable execution times with low latency and low power. Thus, in the context of an autonomous vehicle platform, the PVA is designed to run classic computer vision algorithms because it is efficient in object detection and operations with integer computations.

For example, according to one embodiment of the present technology, the PVA is used to perform computer stereo vision. In some instances, a semi-global matching based algorithm can be used, but this is not intended to be limiting. Many applications for Level 3-5 autonomous driving require motion estimation/stereo matching (e.g., structure from motion, pedestrian recognition, lane detection, etc.) on the fly. The PVA can perform computer stereo vision functions on input from two monocular cameras.

In some instances, the PVA can be used to perform dense optical flow. For example, the PVA can be used to process raw RADAR data (e.g., using a 4D Fast Fourier Transform) to provide a processed RADAR signal before firing the next RADAR pulse. In other instances, the PVA is used for time-of-flight depth processing, for example, by processing raw time-of-flight data to provide processed time-of-flight data.

The DLA can be used to run any type of network, including, for example, a neural network that outputs a measure of confidence for each object detection to improve control and driving safety. Such confidence values can be interpreted as a probability or as providing a relative "weight" of each detection compared to other detections. This confidence value allows the system to make further decisions regarding which detections should be considered true detections rather than false positives. For example, the system can set a confidence threshold and only consider detections above the threshold as true detections. In an Automatic Emergency Braking (AEB) system, a false positive would cause the vehicle to automatically perform emergency braking, which is clearly undesirable. Therefore, only the most confident detections should be considered to trigger the AEB. The DLA can run a neural network to regress the confidence value. The neural network takes as input at least a subset of parameters, such as the bounding box dimensions, an estimate of the ground plane obtained (e.g., from another subsystem), and the output of an inertial measurement unit (IMU) sensor 1266 that correlates with estimates of the vehicle 1200's orientation, distance, and 3D position of objects obtained from the neural network and/or other sensors (e.g., LIDAR sensor 1264 or RADAR sensor 1260).

The SoC 1204 may include a data store 1216 (e.g., memory). The data store 1216 may be an on-chip memory of the SoC 1204 and may store the neural network executed on the GPU and/or DLA. In some instances, the data store 1216 may have a capacity large enough to store multiple instances of the neural network for redundancy and safety. The data store 1216 may include an L2 or L3 cache 1212. References to the data store 1216 may include references to memory associated with the PVA, DLA, and/or other accelerators 1214 described herein.

SoC1204 may include one or more processors 1210 (e.g., embedded processors, etc.). Processor 1210 may include a boot and power management processor, which may be a dedicated processor, and a subsystem to handle boot power and management functions and related security enhancements. The boot and power management processor may be part of the boot sequence of SoC1204 and may provide run-time power management services. The boot power and management processor may provide programming of clocks and voltages, assistance in transitioning the system to a low power state, management of thermal and temperature sensors of SoC1204, and/or management of the power state of SoC1204. Each temperature sensor may be implemented as a ring oscillator whose output frequency is proportional to temperature, and SoC1204 may use the ring oscillator to detect the temperature of CPU1206, GPU1208, and/or accelerator1214. If it is determined that the temperature exceeds a threshold, the boot and power management processor may enter a temperature fault routine, place the SoC 1204 in a low power state, and/or place the vehicle 1200 in chauffeur to safe-stop mode (e.g., bring the vehicle 1200 to a safe-stop).

Processor 1210 may further include a set of embedded processors that may function as an audio processing engine. The audio processing engine may be an audio subsystem that allows full hardware support of multi-channel audio through multiple interfaces and a wide and flexible range of audio I/O interfaces. In some instances, the audio processing engine is a dedicated processor core with a digital signal processor with dedicated RAM.

The processor 1210 may further include an always-on processor engine that can provide the necessary hardware features to support low power sensor management and wake use cases. The always-on processor engine may include a processor core, tightly coupled RAM, supporting peripherals (e.g., timers and interrupt controllers), various I/O controller peripherals, and routing logic.

The processor 1210 may further include a safety cluster engine that includes a dedicated processor subsystem to handle safety management for automotive applications. The safety cluster engine may include two or more processor cores, tightly coupled RAM, supporting peripherals (e.g., timers, interrupt controllers, etc.), and/or routing logic. In a safety mode, the two or more cores may operate in lockstep mode and function as a single core with comparison logic to detect differences between their operations.

The processor 1210 may further include a real-time camera engine that may include a dedicated processor subsystem for handling real-time camera management.

The processor 1210 may further include a high dynamic range signal processor, which may include an image signal processor, which is a hardware engine that is part of the camera processing pipeline.

The processor 1210 may include a video image compositor, which may be a processing block (e.g., implemented on a microprocessor) that implements video post-processing functions required by a video playback application to generate a final image for the player window. The video image compositor may perform lens distortion correction on the wide-view camera 1270, the surround camera 1274, and/or the in-cabin monitoring camera sensor. The in-cabin monitoring camera sensor is preferably monitored by a neural network running on another instance of an advanced SoC that is configured to identify in-cabin events and respond accordingly. The in-cabin system may perform lip reading to activate cellular service, make phone calls, dictate emails, change the vehicle's destination, activate or modify the vehicle's infotainment system and settings, or provide voice-activated web surfing. Certain features are available to the driver only when the vehicle is operating in autonomous mode and are disabled otherwise.

The video image combiner may include enhanced temporal noise reduction for both spatial and temporal noise reduction. For example, when motion occurs in the video, the noise reduction appropriately weights the spatial information and reduces the weight of information provided from adjacent frames. When an image or portion of an image does not contain motion, the temporal noise reduction performed by the video image combiner may use information from previous images to reduce noise in the current image.

The video image composer may also be configured to perform stereo adjustments on the input stereo lens frames. The video image composer may further be used for user interface composition when the operating system desktop is in use, and the GPU 1208 does not need to continually render new surfaces. Even when the GPU 1208 is powered on and actively performing 3D rendering, the video image composer may be used to offload the GPU 1208 for improved performance and responsiveness.

SoC1204 may further include a Mobile Industry Processor Interface (MIPI) camera serial interface for receiving video and input from a camera, a high-speed interface, and/or a video input block that may be used for camera and related pixel input functions. SoC1204 may further include an input/output controller that may be controlled by software and used to receive I/O signals that are not committed to a specific role.

SoC 1204 may further include a wide range of peripheral interfaces to enable peripherals, audio codecs, power management, and/or communication with other devices. SoC 1204 may be used to process data from cameras (e.g., connected via gigabit multimedia serial links and Ethernet), sensors (e.g., LIDAR sensor 1264, RADAR sensor 1260, etc., which may be connected via Ethernet), data from bus 1202 (e.g., vehicle 1200 speed, steering wheel position, etc.), and data from GNSS sensor 1258 (e.g., connected via Ethernet or CAN bus). SoC 1204 may further include a dedicated high-performance mass storage controller, which may include its own DMA engine, which may be used to offload CPU 1206 from routine data management tasks.

SoC1204 is an end-to-end platform with a flexible architecture that spans automation levels 3-5, providing a comprehensive functional safety architecture that leverages and efficiently uses computer vision and ADAS techniques for diversity and redundancy, along with deep learning tools to provide a flexible and reliable platform for driving software stacks. SoC1204 may be faster, more reliable, and more energy and space efficient than traditional systems. For example, accelerator 1214, when combined with CPU 1206, GPU 1208, and data store 1216, can provide a fast and efficient platform for autonomous vehicles levels 3-5.

The present technology thus provides capabilities and functionality not possible with conventional systems. For example, computer vision algorithms may be executed on the CPU. Computer vision algorithms may be constructed using high-level programming languages, such as the C programming language, to execute various processing algorithms across various visual data. However, CPUs often cannot meet the performance requirements of many computer vision applications, e.g., those related to execution time and power consumption. In particular, many CPUs cannot execute complex object detection algorithms in real time, which is a requirement for in-vehicle ADAS applications and for utility level 3-5 autonomous vehicles.

In contrast to conventional systems, by providing a CPU complex, a GPU complex, and a hardware acceleration cluster, the technology described herein allows multiple neural networks to run simultaneously and/or sequentially, and the results to be combined to enable Level 3-5 autonomous driving functions. For example, a CNN running on the DLA or dGPU (e.g., GPU 1220) includes text and word recognition, allowing the supercomputer to read and understand traffic signs, including signs for which the neural network was not specifically trained. The DLA may further include a neural network that can identify, interpret, and provide a semantic understanding of signs, and pass that semantic understanding to a path planning module running on the CPU complex.

As another example, multiple neural networks can be run simultaneously, as required for level 3, 4, or 5 driving. For example, a warning sign consisting of "Caution: Flashing lights indicate icy conditions" accompanied by an electric light may be interpreted by multiple neural networks, either independently or collectively. The sign itself may be identified as a traffic sign by a first deployed neural network (e.g., the neural network being trained), and the text "Flashing lights indicate icy conditions" may be interpreted by a second deployed neural network. The second deployed neural network informs the vehicle's route planning software (preferably running on the CPU complex) that icy conditions exist if a flashing light is detected. The flashing light may be identified by running a third deployed neural network for multiple frames to inform the vehicle's route planning software of the presence (or absence) of the flashing light. All three neural networks may run simultaneously, such as within the DLA and/or on the GPU 1208.

In some instances, CNN for facial recognition and vehicle owner identification can use data from the camera sensors to identify the presence of an authorized driver and/or owner of the vehicle 1200. An always-on sensor processing engine can be used to unlock the vehicle and turn on the lights when the owner approaches the driver's door, and a security mode can prevent the vehicle from operating when the owner leaves the vehicle. In this manner, the SoC 1204 provides security against theft and/or carjacking.

In another example, a CNN for emergency vehicle detection and identification can use data from microphone 1296 to detect and identify emergency vehicle sirens. In contrast to conventional systems that use general classifiers to detect sirens and manually extract features, SoC 1204 uses a CNN to classify ambient and urban sounds as well as visual data. In a preferred embodiment, the CNN running on the DLA is trained to identify the relative terminal velocity of emergency vehicles (e.g., by using the Doppler effect). The CNN may also be trained to identify emergency vehicles specific to the region in which the vehicle is operating, as identified by GNSS sensor 1258. Thus, for example, when operating in Europe, the CNN will attempt to detect European sirens, and in the United States, the CNN will attempt to identify only North American sirens. When an emergency vehicle is detected, the control program can be used to execute emergency vehicle safety routines and, assisted by ultrasonic sensor 1262, can slow the vehicle, pull over to the side of the road, park the vehicle, and/or idle the vehicle until the emergency vehicle has passed.

The vehicle may include a CPU 1218 (e.g., a discrete CPU, i.e., dCPU) that may be coupled to the SoC 1204 via a high-speed interconnect (e.g., PCIe). For example, the CPU 1218 may include an X86 processor. The CPU 1218 may be used to perform any of a variety of functions, such as reconciling potentially inconsistent results between the ADAS sensors and the SoC 1204, and/or monitoring the status and health of the controller 1236 and/or the infotainment SoC 1230.

Vehicle 1200 may include GPU 1220 (e.g., a discrete GPU, or dGPU), which may be coupled to SoC 1204 via a high-speed interconnect (e.g., NVIDIA's NVLINK). GPU 1220 may provide additional artificial intelligence functionality, such as by running redundant and/or different neural networks, and may be used to train and/or update neural networks based on input (e.g., sensor data) from sensors in vehicle 1200.

The vehicle 1200 may further include a network interface 1224, which may include one or more wireless antennas 1226 (e.g., one or more wireless antennas for different communication protocols, such as a cellular antenna, a Bluetooth antenna, etc.). The network interface 1224 may be used to enable wireless connections over the Internet with the cloud (e.g., with a server 1278 and/or other network devices), other vehicles, and/or computing devices (e.g., passenger client devices). To communicate with other vehicles, a direct link may be established between the two vehicles and/or an indirect link may be established (e.g., between networks and over the Internet). A direct link may be provided using a vehicle-to-vehicle communication link. The vehicle-to-vehicle communication link may provide the vehicle 1200 with information about vehicles in close proximity to the vehicle 1200 (e.g., vehicles in front of, beside, and/or behind the vehicle 1200). This function may be part of the cooperative adaptive cruise control function of the vehicle 1200.

The network interface 1224 may include a SoC that provides modulation and demodulation functions and enables the controller 1236 to communicate over a wireless network. The network interface 1224 may include a radio frequency front end for upconversion from baseband to radio frequency and downconversion from radio frequency to baseband. The frequency conversion may be performed using well-known processes and/or may be performed using a superheterodyne process. In some instances, the radio frequency front end functions may be provided by a separate chip. The network interface may include wireless functions for communication via LTE, WCDMA, UMTS, GSM, CDMA2000, Bluetooth, Bluetooth LE, Wi-Fi, Z-Wave, ZigBee, LoRaWAN, and/or other wireless protocols.

Vehicle 1200 may further include data store 1228, which may include external (e.g., external to SoC 1204) storage. Data store 1228 may include one or more storage elements, such as RAM, SRAM, DRAM, VRAM, flash, hard disk, and/or other components and/or devices that may store at least one bit of data.

Vehicle 1200 may further include GNSS sensors 1258 (e.g., GPS and/or assisted GPS sensors) to assist with mapping, perception, occupancy grid generation, and/or path planning functions. Any number of GNSS sensors 1258 may be used, including, but not limited to, a GPS using a USB connector with an Ethernet-to-Serial (RS-232) bridge, for example.

The vehicle 1200 may further include a RADAR sensor 1260. The RADAR sensor 1260 may be used by the vehicle 1200 to detect vehicles at long distances even in darkness and/or severe weather conditions. The RADAR functional safety level may be ASIL B. The RADAR sensor 1260 may control and access object tracking data using CAN and/or bus 1202 (e.g., to transmit data generated by the RADAR sensor 1260), and in some instances has access to Ethernet to access raw data. Various RADAR sensor types may be used. For example, and without limitation, the RADAR sensor 1260 may be suitable for front, rear, and side RADAR use. In one instance, a pulsed Doppler RADAR sensor is used.

The RADAR sensor 1260 may include different configurations, such as long range with narrow field of view, short range with wide field of view, and short range side coverage. In some instances, the long range RADAR may be used for adaptive cruise control functions. Long range RADAR systems may provide a wide field of view achieved by two or more independent scans, such as within a 250m range. The RADAR sensor 1260 helps distinguish between stationary and moving objects and may be used by ADAS systems for emergency brake assistance and forward collision warning. Long range RADAR sensors may include monostatic multimodal RADAR with multiple (e.g., six or more) fixed RADAR antennas and high speed CAN and FlexRay interfaces. In an instance using six antennas, the four central antennas may create a focused beam pattern designed to record the surroundings of the vehicle 1200 at higher speeds while minimizing interference from traffic in adjacent lanes. The other two antennas can expand the field of view, allowing vehicle 1200 to quickly detect vehicles entering or exiting the lane it is in.

Mid-range RADAR systems, by way of example, may include a range of up to 1260 meters (front) or 80 meters (rear) and a field of view of up to 42 degrees (front) or 1250 degrees (rear). Short-range RADAR systems may include, but are not limited to, RADAR sensors designed to be mounted on either end of a rear bumper. When mounted on either end of a rear bumper, such a RADAR sensor system may create two beams that constantly monitor the blind spots behind and adjacent to the vehicle.

Short-range RADAR systems can be used in ADAS systems for blind spot detection and/or lane change assistance.

The vehicle 1200 may further include ultrasonic sensors 1262. The ultrasonic sensors 1262 may be located on the front, back, and/or sides of the vehicle 1200 and may be used for parking assistance and/or creating and updating an occupancy grid. A variety of ultrasonic sensors 1262 may be used, and different ultrasonic sensors 1262 may be used for different detection ranges (e.g., 2.5 m, 4 m). The ultrasonic sensors 1262 may operate at a functional safety level of ASIL B.

The vehicle 1200 may include a LIDAR sensor 1264. The LIDAR sensor 1264 may be used for object and pedestrian detection, emergency braking, collision avoidance, and/or other functions. The LIDAR sensor 1264 may be functional safety level ASIL B. In some instances, the vehicle 1200 may include multiple LIDAR sensors 1264 (e.g., 2, 4, 6, etc.) that may use Ethernet (e.g., to provide data to a Gigabit Ethernet switch).

In some instances, the LIDAR sensor 1264 may be capable of providing a list of objects and their distances for a 360 degree field of view. Commercially available LIDAR sensors 1264 may have an advertised range of approximately 100 m with an accuracy of 2 cm to 3 cm, with support for, for example, a 100 Mbps Ethernet connection. In some instances, one or more non-protruding LIDAR sensors 1264 may be used. In such instances, the LIDAR sensor 1264 may be implemented as a small device that may be embedded in the front, rear, sides, and/or corners of the vehicle 1200. In such instances, the LIDAR sensor 1264 may provide a field of view of up to 120 degrees horizontally and up to 35 degrees vertically, with a range of 200 m even for low-reflecting objects. A front-mounted LIDAR sensor 1264 may be configured for a horizontal field of view of 45 degrees to 135 degrees.

In some instances, LIDAR technology such as 3D flash LIDAR may also be used. 3D flash LIDAR uses a flash of a laser as a transmission source to illuminate the surroundings of the vehicle up to about 200 m. The flash LIDAR unit includes a receptor that records the transit time of the laser pulse and the reflected light of each pixel, which in turn corresponds to the range from the vehicle to the object. Flash LIDAR may allow a highly accurate and distortion-free image of the surroundings to be generated with every laser flash. In some instances, four flash LIDAR sensors may be deployed, one on each side of the vehicle 1200. Usable 3D flash LIDAR systems include solid-state 3D steering array LIDAR cameras with no moving parts other than the fan (e.g., non-scanning LIDAR devices). Flash LIDAR devices use 5 nanosecond class I (eye-safe) laser pulses per frame and may capture reflected laser light in the form of a 3D range point cloud and co-registered intensity data. By using flash LIDAR, and because flash LIDAR is a solid-state device with no moving parts, the LIDAR sensor 1264 may be less susceptible to motion blur, vibration, and/or shock.

The vehicle may further include an IMU sensor 1266. In some instances, the IMU sensor 1266 may be located at the center of the rear axle of the vehicle 1200. The IMU sensor 1266 may include, for example, but is not limited to, an accelerometer, a magnetometer, a gyroscope, a magnetic compass, and/or other sensor types. In some instances, such as a 6-axis application, the IMU sensor 1266 may include an accelerometer and a gyroscope, while in a 9-axis application, the IMU sensor 1266 may include an accelerometer, a gyroscope, and a magnetometer.

In some examples, the IMU sensor 1266 may be implemented as a small, high-performance GPS-Aided Inertial Navigation System (GPS/INS) that combines Micro-Electro-Mechanical System (MEMS) inertial sensors, a highly sensitive GPS receiver, and advanced Kalman filtering algorithms to provide estimates of position, velocity, and attitude. Thus, in some instances, the IMU sensor 1266 may enable the vehicle 1200 to estimate heading by directly observing and correlating velocity changes from the GPS to the IMU sensor 1266 without requiring input from a magnetic sensor. In some instances, the IMU sensor 1266 and the GNSS sensor 1258 may be combined into one integrated unit.

The vehicle may include microphones 1296 located within and/or around the vehicle 1200. The microphones 1296 may be used, among other things, to detect and identify emergency vehicles.

The vehicle may further include any number of camera types, including stereo cameras 1268, wide-view cameras 1270, infrared cameras 1272, surround cameras 1274, long-range and/or mid-range cameras 1298, and/or other camera types. The cameras may be used to capture image data of the entire surroundings of the vehicle 1200. The types of cameras used may vary depending on the embodiment and requirements of the vehicle 1200, and any combination of camera types may be used to provide the necessary coverage around the vehicle 1200. The number of cameras may also vary depending on the embodiment. For example, the vehicle may include six cameras, seven cameras, ten cameras, twelve cameras, and/or another number of cameras. The cameras may support, by way of example and without limitation, Gigabit Multimedia Serial Link (GMSL) and/or Gigabit Ethernet. Each of the cameras is described in more detail herein with respect to Figures 12 and 13.

The vehicle 1200 may further include a vibration sensor 1242. The vibration sensor 1242 may measure vibrations of a vehicle component, such as an axle. For example, a change in vibration may indicate a change in the road surface. In another example, if two or more vibration sensors 1242 are used, the difference in vibration may be used to determine the degree of friction or slippage of the road surface (e.g., if there is a difference in vibration between a powered axle and a free-running axle).

The vehicle 1200 may include an ADAS system 1238. The ADAS system 1238 may, in some instances, include a SoC. The ADAS system 1238 includes an autonomous/adaptive/automatic cruise control (ACC), a cooperative adaptive cruise control (CACC), a forward crash warning (FCW), an automatic emergency braking (AEB), a lane departure warning (LDW), a lane keep assist (LKA), a blind spot warning (BSW), a rear cross-traffic warning (RCTW), a collision warning system (CWS), and a collision warning system (CWS). System), Lane Centering (LC), and/or other features and functions.

The ACC system may use RADAR sensors 1260, LIDAR sensors 1264, and/or cameras. The ACC system may include longitudinal ACC and/or lateral ACC. Longitudinal ACC monitors and controls the distance to the vehicle immediately preceding the vehicle 1200 and automatically adjusts the vehicle speed to maintain a safe distance from the vehicle ahead. Lateral ACC performs distance maintenance and advises the vehicle 1200 to change lanes if necessary. Lateral ACC is relevant to other ADAS applications such as LC and CWS.

CACC uses information from other vehicles. These information can be received from other vehicles via a wireless link via the network interface 1224 and/or wireless antenna 1226, or indirectly via a network connection (e.g., via the Internet). The direct link can be provided by a vehicle-to-vehicle (V2V) communication link, and the indirect link can be an infrastructure-to-vehicle (I2V) communication link. In general, the V2V communication concept provides information about the immediately preceding vehicle (e.g., the vehicle immediately ahead of the vehicle 1200 and in the same lane as the vehicle 1200), and the I2V communication concept provides information about the traffic further ahead. The CACC system can include either or both I2V and V2V information sources. Given information about the vehicle in front of vehicle 1200, CACC can be more reliable, potentially smoothing traffic flow and reducing road congestion.

The FCW system is designed to alert the driver to hazards so that the driver can take corrective action. The FCW system uses a front camera and/or RADAR sensor 1260 coupled to a dedicated processor, DSP, FPGA, and/or ASIC. The dedicated processor, DSP, FPGA, and/or ASIC is electrically coupled to driver feedback such as a display, speaker, and/or vibration components. The FCW system can provide warnings in the form of sound, visual alerts, vibrations, and/or quick brake pulses.

An AEB system can detect an impending forward collision with another vehicle or other object and automatically apply the brakes if the driver does not take corrective action within specified time or distance parameters. The AEB system can use a front camera and/or RADAR sensor 1260 coupled to a dedicated processor, DSP, FPGA, and/or ASIC. Upon detecting a hazard, the AEB system will usually first alert the driver to take corrective action to avoid the collision. If the driver does not take corrective action, the AEB system can automatically apply the brakes to try to prevent or at least mitigate the effects of the predicted collision. An AEB system can include techniques such as dynamic brake support and/or collision emergency braking.

The LDW system provides visual, audible, and/or tactile warnings, such as vibration of the steering wheel or seat, to alert the driver when the vehicle 1200 crosses a lane marking. If the driver indicates an intentional lane departure by activating the turn signals, the LDW system is not activated. The LDW system may use a front camera coupled to a dedicated processor, DSP, FPGA, and/or ASIC, which is electrically coupled to driver feedback, such as a display, speaker, and/or vibration components.

The LKA system is a variation of the LDW system. The LKA system provides steering input or braking to correct the vehicle 1200 if it begins to leave its lane.

The BSW system detects vehicles in the vehicle's blind spot and warns the driver. The BSW system can provide visual, audible, and/or tactile warnings that it is unsafe to merge or change lanes. The system can provide an additional warning when the driver uses the turn signals. The BSW system can use a rear camera and/or RADAR sensor 1260 that is coupled to a dedicated processor, DSP, FPGA, and/or ASIC. The dedicated processor, DSP, FPGA, and/or ASIC are electrically coupled to driver feedback such as a display, speaker, and/or vibration components.

The RCTW system may provide visual, audible, and/or tactile notifications when an object is detected outside the range of the rear camera when the vehicle 1200 is backing up. Some RCTW systems may include AEB to positively apply the vehicle's brakes to avoid a collision. The RCTW system may use one or more rear RADAR sensors 1260 that are coupled to a dedicated processor, DSP, FPGA, and/or ASIC. The dedicated processor, DSP, FPGA, and/or ASIC are electrically coupled to driver feedback such as a display, speaker, and/or vibration components.

Conventional ADAS systems are prone to false positive results, which can be annoying and distracting to the driver, but are usually not catastrophic, because the ADAS system alerts the driver, allowing the driver to determine whether a safety condition truly exists and act accordingly. However, in an autonomous vehicle 1200, in the case of conflicting results, the vehicle 1200 itself must determine whether to listen to the results from the primary computer or the secondary computer (e.g., the first controller 1236 or the second controller 1236). For example, in some embodiments, the ADAS system 1238 may be a backup and/or secondary computer to provide perception information to a backup computer rationality module. The backup computer rationality monitor may run redundant and diverse software on hardware components to detect impairments in cognitive and dynamic driving tasks. Output from the ADAS system 1238 may be provided to a monitoring MCU. If the output from the primary computer conflicts with the output from the secondary computer, the supervisory MCU must determine how to reconcile the conflict and ensure safe operation.

In some instances, the primary computer may be configured to provide the monitoring MCU with a trust score indicating the primary computer's confidence in a selected outcome. If the trust score exceeds a threshold, the monitoring MCU may follow the primary computer's guidance regardless of whether the secondary computer provides conflicting or inconsistent results. If the trust score does not meet the threshold and the primary and secondary computers indicate different outcomes (e.g., conflicts), the monitoring MCU may mediate between the computers to determine an appropriate outcome.

The monitoring MCU may be configured to execute a neural network that is trained and configured to determine conditions under which the secondary computer will provide a false alarm based on the outputs from the primary and secondary computers. Thus, the neural network in the monitoring MCU can learn when to trust the output of the secondary computer and when not to trust it. For example, if the secondary computer is a RADAR-based FCW system, the neural network in the monitoring MCU can learn when the FCW system is identifying a metal object that is not actually a hazard, such as a drain grate or manhole cover, that triggers an alarm. Similarly, if the secondary computer is a camera-based LDW system, the neural network in the monitoring MCU can learn to override the LDW when a bicyclist or pedestrian is present and lane departure is in fact the safest maneuver. In an embodiment that includes a neural network running on the monitoring MCU, the monitoring MCU may include at least one of a DLA or GPU suitable for executing the neural network along with associated memory. In a preferred embodiment, the supervisory MCU may include and/or be included as a component of the SoC1204.

In another example, the ADAS system 1238 may include a secondary computer that performs ADAS functions using traditional computer vision rules. Thus, the secondary computer may use classic computer vision rules (if-then), and the presence of a neural network in the supervisory MCU may improve reliability, safety, and performance. For example, the diverse implementations and intentional non-identity may increase the fault tolerance of the overall system, especially against failures caused by software (or software-hardware interface) functions. For example, if the software running on the primary computer has a software bug or error, and the non-identical software code running on the secondary computer provides the same overall results, the supervisory MCU may have greater confidence that the overall results are correct and that a bug in the software or hardware used by the primary computer is not the cause of the critical error.

In some instances, the output of the ADAS system 1238 may be fed to the perception block of the primary computer and/or the dynamic driving task block of the primary computer. For example, if the ADAS system 1238 indicates a forward collision warning due to an object directly ahead, the perception block may use this information when identifying the object. In other instances, the secondary computer may have its own neural network that is trained and thus reduces the risk of false positives as described herein.

Vehicle 1200 may further include an infotainment SoC 1230 (e.g., an In-Vehicle Infotainment System (IVI)). Although shown and described as a SoC, the infotainment system need not be a SoC and may include two or more separate components. Infotainment SoC 1230 may include a combination of hardware and software that can be used to provide audio (e.g., music, personal digital assistant, navigation instructions, news, radio, etc.), video (e.g., TV, movies, streaming, etc.), telephony (e.g., hands-free calling), network connectivity (e.g., LTE, Wi-Fi), and/or information services (e.g., navigation system, rear parking assist, wireless data system, vehicle related information such as fuel level, total mileage, brake fuel level, oil level, door opening and closing, air filter information, etc.) to vehicle 1200. For example, the infotainment SoC 1230 may include a radio, a disc player, a navigation system, a video player, USB and Bluetooth connectivity, a carputer, in-car entertainment, Wi-Fi, steering wheel audio controls, hands-free voice controls, a Heads-Up Display (HUD), an HMI display 1234, telematics devices, a control panel (e.g., for controlling and/or interacting with various components, features, and/or systems), and/or other components. The infotainment SoC 1230 may further be used to provide information (e.g., visual and/or audible) to a user of the vehicle, such as information from the ADAS system 1238, autonomous driving information such as planned vehicle maneuvers, trajectory, surrounding environment information (e.g., intersection information, vehicle information, road information, etc.), and/or other information.

Infotainment SoC 1230 may include GPU functionality. Infotainment SoC 1230 may communicate with other devices, systems, and/or components of vehicle 1200 via bus 1202 (e.g., CAN bus, Ethernet, etc.). In some instances, infotainment SoC 1230 may be coupled to a supervisory MCU such that the infotainment system's GPU can perform some autonomous driving functions if primary controller 1236 (e.g., primary and/or backup computer of vehicle 1200) fails. In such instances, infotainment SoC 1230 may place vehicle 1200 in a proxy mode until a safe stop, as described herein.

The vehicle 1200 may further include an instrument cluster 1232 (e.g., a digital dash, an electronic instrument cluster, a digital instrument panel, etc.). The instrument cluster 1232 may include a controller and/or a supercomputer (e.g., a separate controller or a supercomputer). The instrument cluster 1232 may include a set of instruments such as a speedometer, a fuel level, an oil pressure, a tachometer, an odometer, a turn indicator, a gear shift position indicator, a seat belt warning light, a parking brake warning light, an engine fault light, an airbag (SRS) system information, lighting control, a safety system control, navigation information, etc. In some instances, information may be displayed on and/or shared between the infotainment SoC 1230 and the instrument cluster 1232. That is, the instrument cluster 1232 may be included as part of the infotainment SoC 1230, or vice versa.

As previously mentioned, in at least some embodiments, the vehicle platform 100 (see FIG. 1) may be a component of the autonomous vehicle 1200. In such embodiments, the controller 1236 includes the vehicle SoC 104. For example, the vehicle SoC 104 may be implemented as one of the SoCs 1204.

15 is a system diagram for communication between a cloud-based server and the example autonomous vehicle 1200 of FIG. 12, according to some embodiments of the present disclosure. The system 1276 may include a server 1278, a network 1290, and a vehicle including the vehicle 1200. The server 1278 may include a number of GPUs 1284(A)-1284(H) (collectively referred to herein as GPUs 1284), a PCIe switch 1282(A)-1282(H) (collectively referred to herein as PCIe switch 1282), and/or a CPU 1280(A)-1280(B) (collectively referred to herein as CPU 1280). The GPUs 1284, CPUs 1280, and PCIe switch may be interconnected with a high-speed interconnect, such as, but not limited to, an NVLink interface 1288 and/or a PCIe connection 1286 developed by NVIDIA. In some instances, the GPUs 1284 are connected via NVLink and/or NVSwitch SoCs, and the GPUs 1284 and PCIe switch 1282 are connected via a PCIe interconnect. Although eight GPUs 1284, two CPUs 1280, and two PCIe switches are shown, this is not intended to be limiting. Depending on the embodiment, each of the servers 1278 may include any number of GPUs 1284, CPUs 1280, and/or PCIe switches. For example, each of the servers 1278 may include 8, 16, 32, and/or more GPUs 1284.

Server 1278 may receive image data over network 1290 and from the vehicles, representing images showing unexpected or changed road conditions, such as recently begun road construction. Server 1278 may transmit neural network 1292, updated neural network 1292, and/or map information 1294 (including information about traffic and road conditions) over network 1290 and to the vehicles. Updates to map information 1294 may include updates to HD map 1222, such as information about construction sites, potholes, detours, flooding, and/or other obstacles. In some instances, neural network 1292, updated neural network 1292, and/or map information 1294 may result from new training and/or experience represented in data received from any number of vehicles in the environment and/or based on training performed at a data center (e.g., using server 1278 and/or other servers).

The server 1278 may be used to train a machine learning model (e.g., a neural network) based on training data. The training data may be generated by the vehicle and/or generated in a simulation (e.g., using a game engine). In some instances, the training data is tagged (e.g., if the neural network benefits from supervised learning) and/or otherwise preprocessed, while in other instances, the training data is not tagged and/or preprocessed (e.g., if the neural network does not require supervised learning). The training may be performed according to any one or more classes of machine learning techniques, including, but not limited to, supervised training, semi-supervised training, unsupervised training, self-learning, reinforcement learning, federated learning, transfer learning, feature learning (including principal component analysis and cluster analysis), multiple linear subspace learning, manifold learning, representation learning (including spare dictionary learning), rule-based machine learning, anomaly detection, and any variation or combination thereof. Once the machine learning model is trained, it may be used by the vehicle (e.g., transmitted to the vehicle via network 1290) and/or the machine learning model may be used by server 1278 to remotely monitor the vehicle.

In some instances, server 1278 can receive data from vehicles and apply the data to state-of-the-art real-time neural networks for real-time intelligent inference. Server 1278 can include deep learning supercomputers and/or dedicated AI computers powered by GPU 1284, such as the DGX and DGX Station machines developed by NVIDIA. However, in some instances, server 1278 can include a deep learning infrastructure that uses only CPU-powered data centers.

The deep learning infrastructure of server 1278 may be capable of fast and real-time inference and may use that capability to assess and verify the health of the processor, software, and/or associated hardware in vehicle 1200. For example, the deep learning infrastructure may receive periodic updates from vehicle 1200, such as a series of images and/or objects that vehicle 1200 has located in the series of images (e.g., via computer vision and/or other machine learning object classification techniques). The deep learning infrastructure may run its own neural network to identify objects and compare them to those identified by vehicle 1200, and if the results do not match and the infrastructure determines that there is an abnormality in the AI in vehicle 1200, server 1278 may send a signal to vehicle 1200 to instruct the failsafe computer of vehicle 1200 to assume control, notify the occupants, and complete a safe parking maneuver.

For inference, server 1278 may include GPU 1284 and one or more programmable inference accelerators (e.g., NVIDIA's TensorRT). The combination of a GPU-powered server with inference acceleration can enable real-time responsiveness. In other instances, such as when performance is less critical, servers powered by CPUs, FPGAs, and other processors can be used for inference.

16 is a block diagram of an example computing device 1600 suitable for use in implementing some embodiments of the present disclosure. The computing device 1600 may include an interconnect system 1602 that directly or indirectly couples the following devices: memory 1604, one or more central processing units (CPUs) 1606, one or more graphics processing units (GPUs) 1608, a communications interface 1610, I/O ports 1612, input/output components 1614, a power source 1616, one or more presentation components 1618 (e.g., displays), and one or more logic units 1620.

16 are shown as being hardwired through interconnect system 1602 for clarity only, and not for any limitation. For example, in some embodiments, a presentation component 1618, such as a display device, may be considered an I/O component 1614 (e.g., if the display is a touch screen). As another example, CPU 1606 and/or GPU 1608 may include memory (e.g., memory 1604 may represent a storage device in addition to memory of GPU 1608, CPU 1606, and/or other components). Thus, the computing devices of FIG. 16 are merely illustrative. No distinction is made between categories such as "workstations," "servers," "laptops," "desktops," "tablets," "client devices," "mobile devices," "handheld devices," "game consoles," "electronic control units (ECUs)," "virtual reality systems," "augmented reality systems," and/or other device or system types, as all are intended to be within the scope of the computing devices of FIG. 16.

The interconnect system 1602 may represent one or more links or buses, such as an address bus, a data bus, a control bus, or a combination thereof. The interconnect system 1602 may include one or more bus or link types, such as an Industry Standard Architecture (ISA) bus, an Extended Industry Standard Architecture (EISA) bus, a Video Electronics Standards Association (VESA) bus, a Peripheral Component Interconnect (PCI) bus, a Peripheral Component Interconnect Express (PCIe) bus, and/or another type of bus or link. In some embodiments, there are direct connections between the components. As one example, the CPU 1606 may be directly connected to the memory 1604. Additionally, the CPU 1606 may be directly connected to the GPU 1608. Where there are direct or point-to-point connections between the components, the interconnect system 1602 may include PCIe links to effectuate the connections. In these examples, a PCI bus need not be included in the computing device 1600.

Memory 1604 may include a variety of computer readable media. Computer readable media may be any available media that may be accessed by computing device 1600. Computer readable media may include both volatile and nonvolatile media, and removable and non-removable media. By way of example, and not limitation, computer readable media may include computer storage media and communication media.

Computer storage media may include both volatile and non-volatile media and/or removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules, and/or other data types. For example, memory 1604 may store computer readable instructions (e.g., representing programs and/or program elements such as an operating system). Computer storage media may include, but are not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium that may be used to store the desired information and that may be accessed by computing device 1600. As used herein, computer storage media does not include the signals themselves.

Computer storage media may embody computer-readable instructions, data structures, program modules, and/or other data types in a modulated data signal, such as a carrier wave or other transport mechanism, and include any information delivery media. The term "modulated data signal" may refer to a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, computer storage media may include wired media, such as a wired network or direct-wired connection, and wireless media, such as acoustic, RF, infrared and other wireless media. Combinations of any of the above are also included within the scope of computer-readable media.

The CPUs 1606 may be configured to execute at least some of the computer-readable instructions to control one or more components of the computing device 1600 to perform one or more of the methods and/or processes described herein. Each of the CPUs 1606 may include one or more cores (e.g., 1, 2, 4, 8, 28, 72, etc.) capable of simultaneously processing multiple software threads. The CPUs 1606 may include any type of processor and may include different types of processors (e.g., a processor with fewer cores for a mobile device and a processor with more cores for a server) depending on the type of computing device 1600 being implemented. For example, depending on the type of computing device 1600, the processor may be an Advanced RISC Machine (ARM) processor implemented using Reduced Instruction Set Computing (RISC) or an x86 processor implemented using Complex Instruction Set Computing (CISC). Computing device 1600 may include one or more CPUs 1606 in addition to one or more microprocessors or auxiliary coprocessors such as math coprocessors.

In addition to or in place of the CPU 1606, the GPU 1608 may be configured to execute at least some of the computer-readable instructions to control one or more components of the computing device 1600 to perform one or more of the methods and/or processes described herein. One or more of the GPUs 1608 may be integrated GPUs (e.g., with one or more of the CPUs 1606) and/or one or more of the GPUs may be discrete GPUs. In an embodiment, one or more of the GPUs 1608 may be a coprocessor or coprocessors of the CPUs 1606. The GPU 1608 may be used by the computing device 1600 to render graphics (e.g., 3D graphics) or perform general-purpose computing. For example, the GPU 1608 may be configured to perform general-purpose computing on a GPU (GPGPU). A graphics processor (GPU) 1608 may be used for the graphics processing unit 1602. The GPU 1608 may include hundreds or thousands of cores capable of simultaneously processing hundreds or thousands of software threads. The GPU 1608 may generate pixel data for an output image in response to rendering commands (e.g., rendering commands received from the CPU 1606 via a host interface). The GPU 1608 may include a graphics memory, such as a display memory, for storing pixel data or any other suitable data, such as GPGPU data. The display memory is included as part of the memory 1604. GPU 1608 may include two or more GPUs operating in parallel (e.g., via links). The links may connect the GPUs directly (e.g., using NVLINK) or through a switch (e.g., using NVSwitch). When combined, each GPU 1608 may generate pixel data or GPGPU data for a different portion of the output or for a different output (e.g., a first GPU for a first image and a second GPU for a second image). Each GPU may include its own memory or may share memory with the other GPUs.

In addition to or in place of the CPU 1606 and/or GPU 1608, the logic unit 1620 may be configured to execute at least some of the computer-readable instructions to control one or more components of the computing device 1600 to perform one or more of the methods and/or processes described herein. In an embodiment, the CPU 1608, the GPU 1608, and/or the logic unit 1620 may individually or jointly execute any combination of methods, processes, and/or portions thereof. One or more of the logic units 1620 may be part of and/or integrated with one or more of the CPU 1606 and/or GPU 1608, and/or one or more of the logic units 1620 may be separate components or otherwise external to the CPU 1606 and/or GPU 1608. In an embodiment, one or more of the logic units 1620 may be co-processors of one or more of the CPUs 1606 and/or one or more of the GPUs 1608.

Examples of the logical unit 1620 include a tensor core (TC), a tensor processing unit (TPU), a pixel visual core (PVC), a vision processing unit (VPU), a graphics processing cluster (GPC), a texture processing cluster (TPC), a streaming multiprocessor (SM), a tree traversal unit (TTU), an artificial intelligence accelerator (AIA), and a scalable processor (SPC). The processor may include one or more processing cores and/or components thereof, such as a deep learning accelerator (DLA), an arithmetic logic unit (ALU), an application-specific integrated circuit (ASIC), a floating point unit (FPU), an I/O element, a peripheral component interconnect (PCI) or a peripheral component interconnect express (PCIe) element.

The communications interface 1610 may include one or more receivers, transmitters, and/or transceivers that enable the computing device 1600 to communicate with other computing devices over electronic communications networks, including wired and/or wireless communications. The communications interface 1610 may include components and functionality to enable communication over any of a number of different networks, such as wireless networks (e.g., Wi-Fi, Z-Wave, Bluetooth, Bluetooth LE, ZigBee, etc.), wired networks (e.g., communication over Ethernet or InfiniBand), low power wide area networks (e.g., LoRaWAN, SigFox, etc.), and/or the Internet.

The I/O ports 1612 may enable the computing device 1600 to be logically coupled to other devices, including I/O components 1614, presentation components 1618, and/or other components, some of which may be incorporated (e.g., integrated) into the computing device 1600. Exemplary I/O components 1614 include microphones, mice, keyboards, joysticks, game pads, game controllers, satellite dishes, scanners, printers, wireless devices, and the like. The I/O components 1614 may provide a Natural User Interface (NUI) that processes user-generated air gestures, voice, or other physiological input. In some cases, the input may be sent to an appropriate network element for further processing. The NUI may implement any combination of voice recognition, stylus recognition, facial recognition, biometric recognition, gesture recognition both on and near the screen, air gestures, head and eye tracking, and touch recognition associated with the display of the computing device 1600 (described in more detail below). The computing device 1600 may include a depth camera, such as a stereoscopic camera system, an infrared camera system, an RGB camera system, touch screen technology, and combinations thereof, for gesture detection and recognition. Additionally, the computing device 1600 may include an accelerometer or gyroscope (e.g., as part of an Inertia Measurement Unit (IMU)) that allows for detection of motion. In some instances, the output of the accelerometer or gyroscope may be used by the computing device 1600 to render an immersive augmented or virtual reality.

Power source 1616 may include a hardwired power source, a battery power source, or a combination thereof. Power source 1616 may provide power to computing device 1600 to enable the components of computing device 1600 to operate.

The presentation component 1618 may include a display (e.g., a monitor, a touch screen, a television screen, a heads-up display (HUD), other display types, or a combination thereof), speakers, and/or other presentation components. The presentation component 1618 may receive data from other components (e.g., GPU 1608, CPU 1606, etc.) and output data (e.g., as images, video, sound, etc.).

The present disclosure may be described in the general context of computer code or machine usable instructions, including computer executable instructions, such as program modules, executed by a computer or other machine, such as a personal data assistant or other handheld device. Generally, program modules, including routines, programs, objects, components, data structures, etc., refer to code that performs particular tasks or implements particular abstract data types. The present disclosure may be practiced in a variety of system configurations, including handheld devices, consumer electronics, general purpose computers, more specialized computing devices, and the like. The present disclosure may also be practiced in distributed computing environments where tasks are performed by remote processing devices linked through a communications network.

At least one embodiment of the present disclosure can be described in view of the following provisions:

1. A system comprising: a memory that operates according to a first risk classification level; and a circuit that operates according to a second risk classification level indicating a higher risk classification than the first risk classification level, the circuit determining an error detection code for data written to a first memory address in the memory, determining a second memory address in the memory based at least in part on the first memory address, storing the data at the first memory address, and storing the error detection code at the second memory address.

2. The system of claim 1, wherein after the data is stored at the first memory address and the error detection code is stored at the second memory address, the circuitry retrieves the data from the first memory address, retrieves the error detection code from the second memory address, generates a check code based on the first memory address and the data retrieved from the first memory address, and generates a notification when the error detection code indicates that the data contains at least one error.

3. The system of clause 2, wherein the error detection code indicates that the data contains at least one error when the error detection code does not match the check code.

4. The system of clause 2 or 3, wherein the circuitry obtains data from the first memory address during the first memory access and obtains the error detection code from the second memory address during the second memory access.

5. The system of any one of clauses 2 to 4, further comprising: a first interface, where data is obtained from a first memory address via the first interface; and a second interface, where an error detection code is obtained from a second memory address via the second interface in parallel with the first interface obtaining the data, the first interface being different from the second interface.

6. The system of claim 4, wherein the circuitry generates a time delay between the first memory access and the second memory access.

7. The system of any one of clauses 1 to 6, wherein the memory includes a first subsection and a second subsection, the first subsection includes a first memory address, and the second subsection includes a second memory address, and the circuitry writes a new error detection code to each memory address in the second subsection during a boot procedure.

8. The system of any one of clauses 1 to 7, wherein the circuitry determines an error detection code based on the first memory address and the data before the data is written to the first memory address.

9. The system of any one of clauses 1 to 8, wherein the circuit includes a first block and a second block, the first block sends a write request including data and a first memory address to the second block, and the second block receives the write request, determines an error detection code, determines a second memory address, stores the data at the first memory address, and stores the error detection code at the second memory address.

10. The system of claim 9, wherein the first block includes a write timer that starts when the first block sends a write request to the second block, and the first block generates a write error when the write timer indicates that more than a predetermined time has elapsed before the first block receives a response from the memory.

11. The system of clause 9 or 10, wherein after the first block sends the write request, the first block sends a read request to the second block for the data stored at the first memory address, the second block receives the read request, retrieves the data from the first memory address, retrieves the error detection code from the second memory address, and sends a notification to the first block when the second block determines that the error detection code indicates that the data contains at least one error.

12. The system of claim 11, wherein the first block includes a read timer that starts when the first block sends a read request, and the first block generates a read error when the read timer indicates that more than a predetermined time has elapsed before the first block receives data.

13. The system of any one of clauses 1 to 12, wherein the circuitry stores data at a first memory address during a first memory access and stores an error detection code at a second memory address during a second memory access.

14. The system of claim 13, wherein the circuitry generates a first time delay between the first memory access and the second memory access.

15. The system of any one of clauses 1 to 14, wherein the system is on a continuous semiconductor material.

16. The system of clause 15, implementing a portion of a system-on-chip ("SoC") for an automotive vehicle.

17. The system of any one of clauses 1 to 16, wherein the first risk classification level and the second risk classification level are each an Automotive Safety Indicator Level ("ASIL").

18. The system of any one of clauses 1 to 17, wherein the error detection code is a cyclic redundancy check code or an error correction code.

19. A system comprising: a memory operating within a first risk classification level, the memory including a separated memory region including a first memory address for storing data and a second memory address for storing an error detection code; and a circuit operating within a second risk classification level indicating a higher level of risk than the first risk classification level, the circuit retrieving the data from the first memory address, retrieving the error detection code from the second memory address, and generating a notification when the error detection code indicates that the data contains at least one error.

20. The system of claim 19, wherein the circuit generates a check code based on the first memory address and the data retrieved from the first memory address, and when the error detection code does not match the check code, the error detection code indicates that the data contains at least one error.

21. The system of clause 19 or 20, wherein the circuit includes a first block and a second block, the first block sends a read request to the second block for data stored at a first memory address, and the second block receives the read request, retrieves the data, retrieves the error detection code, and generates a notification when the error detection code indicates that the data contains at least one error.

22. The system of claim 21, wherein the first block includes a read timer that starts when the first block sends a read request, and the first block generates an error when the read timer indicates that more than a predetermined time has elapsed before the first block receives data.

23. The system of clause 21 or 22, wherein before the first block sends the read request, the first block sends the data and the first memory address to the second block, and the second block determines the error detection code, determines the second memory address, stores the data at the first memory address, and stores the error detection code at the second memory address.

24. The system of claim 23, wherein the first block includes a write timer that starts when the first block transmits data and the first memory address to the second block, and the first block generates a write error when the write timer indicates that more than a first predetermined time has elapsed before the first block receives a response from the memory.

25. The system of claim 24, wherein the first block includes a read timer that starts when the first block sends a read request, and the first block generates a read error when the read timer indicates that more than a second predetermined time has elapsed before the first block receives data from the memory.

26. The system of any one of clauses 19 to 25, wherein the circuitry retrieves data from the first memory address during the first memory access and retrieves the error detection code from the second memory address during the second memory access.

27. The system of claim 26, wherein the circuitry generates a time delay between the first memory access and the second memory access.

28. The system of any one of clauses 19 to 27, wherein the circuit writes an error detection code to the second memory address during the boot procedure.

29. The system of any one of clauses 19 to 28, wherein the system is on a continuous semiconductor material.

30. The system of clause 29, implementing a portion of a system-on-chip ("SoC") for an automotive vehicle.

31. The system of any one of clauses 19 to 30, wherein the first risk classification level and the second risk classification level are each an Automotive Safety Indicator Level ("ASIL").

32. The system of any one of clauses 19 to 31, wherein the error detection code is a cyclic redundancy check code or an error correction code.

33. A method performed by a circuit operating at a first risk classification level, the method including: determining an error detection code for data to be written to a first memory address in a memory operating at a second risk classification level indicating a lower level of risk than the first risk classification level; determining a second memory address in the memory based at least in part on the first memory address; and storing the data at the first memory address and the error detection code at the second memory address.

34. The method of claim 33, further comprising: retrieving data from the first memory address after the data is stored in the first memory address; retrieving an error detection code from the second memory address after the error detection code is stored in the second memory address; generating a check code based on the first memory address and the data retrieved from the first memory address; and generating a notification when the check code indicates that the data contains at least one error.

35. The method of claim 34, wherein an error detection code is generated based on the first memory address and the data before the data is stored at the first memory address, and the check code indicates that the data contains at least one error when the check code does not match the error detection code.

36. The method of any one of clauses 33 to 35, wherein the memory includes a first subsection and a second subsection, the first subsection including a first memory address and the second subsection including a second memory address, the method further including writing a new error detection code to each memory address in the second subsection during the boot procedure.

37. A method performed by a circuit operating at a first risk classification level, the method including: obtaining data from a first memory address of a memory operating at a second risk classification level indicating a lower level of risk than the first risk classification level; determining a second memory address in the memory based at least in part on the first memory address; obtaining an error detection code from the second memory address; and generating a notification when the error detection code indicates that the data contains at least one error.

38. The method of clause 37, further comprising: generating a check code based on the first memory address and the data obtained from the first memory address; and determining whether the check code matches an error detection code, the error detection code indicating that the data contains at least one error when the error detection code does not match the check code.

39. The method of claim 37 or 38, wherein the circuitry obtains data from the first memory address during the first memory access, and the circuitry obtains the error detection code from the second memory address during the second memory access, and the method further includes creating a time delay between the first memory access and the second memory access.

40. The method of any one of clauses 37 to 39, wherein the circuit includes a first block and a second block, and the method further includes sending, by the first block, a read request to the second block for data stored at the first memory address, and receiving, by the second block, the read request, the second block obtaining the data, obtaining an error detection code, and generating a notification when the error detection code indicates that the data contains at least one error.

41. The method of claim 40, wherein a read timer is started when the first block sends a read request, the method further including generating a read error by the first block when the read timer indicates that more than a predetermined time has elapsed before the first block receives data.

42. The method of clause 40 or 41, further comprising: sending a write request by the first block to the second block before the first block sends the read request, the write request including data and the first memory address; determining an error detection code by the second block before the first block sends the read request; determining a second memory address by the second block before the first block sends the read request; and storing the data at the first memory address and the error detection code in the second memory by the second block before the first block sends the read request.

43. The method of claim 42, wherein a write timer is started when the first block sends a write request, the method further including generating a write error by the first block when the write timer indicates that more than a first predetermined time has elapsed before the first block receives a response from the memory.

44. The method of claim 43, wherein a read timer is started when the first block sends a read request, the method further including generating a read error by the first block when the read timer indicates that more than a second predetermined time has elapsed before the first block receives the data.

45. The method of any one of clauses 42 to 44, wherein the second block stores data at the first memory address during the first memory access and the second block stores an error detection code at the second memory address during the second memory access, the method further comprising creating a time delay between the first memory access and the second memory access.

46. The method of any one of clauses 37 to 45, further comprising writing an error detection code to the second memory address during the boot procedure.

47. The method of any one of clauses 37 to 46, wherein the first risk classification level and the second risk classification level are each an Automotive Safety Indicator Level ("ASIL").

48. The method of any one of clauses 37 to 47, wherein the error detection code is a cyclic redundancy check code or an error correction code.

The use of the terms "a" and "an" and "the" and similar references in the context of describing the disclosed embodiments (particularly in the context of the following claims) should be construed to cover both the singular and the plural, and not as a definition of the terms, unless otherwise specified herein or clearly contradicted by context. The terms "comprising," "having," "including," and "containing" are to be construed as open-ended terms (meaning "including, but not limited to"), unless otherwise specified. The term "connected," when unmodified and referring to a physical connection, should be construed as being partially or wholly contained within, attached to, or joined together, even if there is something intervening. The description of ranges of values herein is merely intended as a shorthand method of individually referring to each separate value in the range, unless otherwise stated herein, and each separate value is incorporated herein as if it were individually stated herein. In at least one embodiment, use of the term "set" or "subset" (e.g., "set of items") should be construed as a non-empty collection containing one or more members, unless otherwise stated or otherwise contradicted by context. Furthermore, unless otherwise stated or otherwise clearly contradicted by context, the term "subset" of a corresponding set does not necessarily indicate a proper subset of the corresponding set, and a subset and a corresponding set may be equivalent.

As used herein, the term "and/or" with respect to two or more elements should be construed to mean only one element or a combination of elements. For example, "element A, element B, and/or element C" may include element A only, element B only, element C only, elements A and element B, elements A and element C, elements B and element C, or elements A, B, and C.

Conjunctive language such as phrases of the form "at least one of A, B, and C" or "at least one of A, B and C" is understood to mean that, unless specifically stated otherwise or clearly contradicted by context, the item, term, etc., in the context in which it is commonly used to date, may be either A or B or C, or any non-empty subset of the set A and B and C. For example, in the illustrative example of a set having three members, the conjunctive phrases "at least one of A, B, and C" and "at least one of A, B, and C" refer to any of the following sets: {A}, {B}, {C}, {A,B}, {A,C}, {B,C}, {A,B,C}. Thus, such conjunctive language is not intended to imply that at least one of A, at least one of B, and at least one of C are required to be present in a particular embodiment. Additionally, unless otherwise specified or contradicted by context, the term "plurality" refers to a plurality (e.g., "plurality of items" refers to a number of items). In at least one embodiment, the number of items in a plurality is at least two, but may be more if indicated explicitly or by context. Additionally, unless otherwise specified or clear from context, the phrase "based on" means "based at least in part on" and not "based solely on."

The operations of the processes described herein may be performed in any suitable order unless otherwise indicated herein or clearly contradicted by context. In at least one embodiment, processes such as the processes described herein (or variations and/or combinations thereof) are performed under the control of one or more computer systems configured with executable instructions and implemented by hardware or a combination thereof as code (e.g., executable instructions, one or more computer programs, or one or more applications) that collectively execute on one or more processors. In at least one embodiment, the code is stored on a computer-readable storage medium. In at least one embodiment, the code is stored in the form of a computer program that includes a plurality of instructions executable by one or more processors. In at least one embodiment, the computer-readable storage medium is a non-transitory computer-readable storage medium that excludes transitory signals (e.g., propagating transient electrical or electromagnetic transmissions), but includes non-transitory data storage circuitry (e.g., buffers, caches, and queues) in a transceiver of the transitory signal. In at least one embodiment, code (e.g., executable code or source code) is stored in a set of one or more non-transitory computer readable storage media (or other memory that stores executable instructions) on which executable instructions are stored. The executable instructions, when executed (i.e., as a result of being executed) by one or more processors of a computer system, cause the computer system to perform the operations described herein. In at least one embodiment, the set of non-transitory computer readable storage media includes multiple non-transitory computer readable storage media, where one or more of the individual non-transitory storage media of the multiple non-transitory computer readable storage media do not have all the code, but the multiple non-transitory computer readable storage media collectively store all the code. In at least one embodiment, the executable instructions are executed such that different instructions are executed by different processors. In at least one embodiment, the non-transitory computer readable storage media store the instructions, a main central processing unit ("CPU") executes some of the instructions, and a graphics processing unit ("GPU") executes other instructions. In at least one embodiment, different components of a computer system have separate processors, and the different processors execute different subsets of instructions.

Thus, in at least one embodiment, a computer system is configured to implement one or more services that, singly or collectively, perform the operations of the processes described herein, and such a computer system is configured with appropriate hardware and/or software to enable the operations to be performed. Furthermore, a computer system that implements at least one embodiment of the present disclosure is a single device, and in another embodiment, is a distributed computer system that includes multiple devices that operate differently such that the distributed computer system performs the operations described herein and does not perform all the operations on a single device.

The use of any and all illustrative or exemplary language (e.g., "etc.") provided herein is intended merely to better illustrate examples of the disclosure and does not impose limitations on the scope of the disclosure unless specifically claimed. No language in the specification should be construed as indicating any non-claimed element as essential to the practice of the disclosure.

All references cited in this specification, including publications, patent applications, and patents, are hereby incorporated by reference to the same extent as if each reference was individually and specifically indicated to be incorporated by reference and was set forth in its entirety herein.

In the description and claims, the terms "coupled" and "connected," along with their derivatives, may be used. It should be understood that these terms may not be intended as synonyms for each other. Rather, in certain instances, "connected" or "coupled" may be used to indicate that two or more elements are in direct or indirect physical or electrical contact with each other. "Coupled" may also mean that two or more elements are not in direct contact with each other, but still cooperate or interact with each other.

Unless otherwise indicated, it will be understood that throughout the specification, terms such as "processing," "computing," "calculating," "determining," and the like refer to actions and/or processes of a computer or computing system or similar electronic computing device that manipulate data represented as physical quantities (e.g., electronic quantities) in registers and/or memory of the computing system and/or transform such data into other data similarly represented as physical quantities in the memory, registers, or other such information storage, transmission, or display device of the computing system.

Similarly, the term "processor" may refer to any device or portion of a device that processes electronic data from registers and/or memory and converts the electronic data into other electronic data that may be stored in registers and/or memory. As a non-limiting example, a "processor" may be a CPU or a GPU. A "computing platform" may comprise one or more processors. As used herein, a "software" process may include, in at least one embodiment, software and/or hardware entities that perform work over time, such as tasks, threads, and intelligent agents. Also, each process may refer to multiple processes for executing instructions sequentially or in parallel, continuously or intermittently. The terms "system" and "method" are used interchangeably herein to the extent that a system may embody one or more methods and a method may be considered a system.

In at least one embodiment, the arithmetic logic unit is a set of combinatorial logic circuits that takes one or more inputs to generate a result. In at least one embodiment, the arithmetic logic unit is used by the processor to implement mathematical operations such as addition, subtraction, or multiplication. In at least one embodiment, the arithmetic logic unit is used to implement logical operations such as logical AND/OR or XOR. In at least one embodiment, the arithmetic logic unit is stateless and is made from physical switching components such as semiconductor transistors arranged to form logic gates. In at least one embodiment, the arithmetic logic unit may operate internally as a stateful logic circuit with an associated clock. In at least one embodiment, the arithmetic logic unit may be constructed as an asynchronous logic circuit where no internal state is maintained in an associated set of registers. In at least one embodiment, the arithmetic logic unit is used by the processor to combine operands stored in one or more registers of the processor to generate an output that can be stored by the processor in another register or memory location.

In at least one embodiment, processing an instruction obtained by the processor results in the processor presenting one or more inputs or operands to an arithmetic logic unit, causing the arithmetic logic unit to generate a result based at least in part on an instruction code provided to an input of the arithmetic logic unit. In at least one embodiment, the instruction code provided by the processor to the ALU is based at least in part on the instruction to be executed by the processor. In at least one embodiment, combinatorial logic in the ALU processes the inputs and generates an output that is placed on a bus within the processor. In at least one embodiment, upon clocking the processor, the processor selects a destination register, memory location, output device, or output storage location on an output bus such that the result generated by the ALU is sent to the desired location.

References may be made herein to acquiring, collecting, receiving, or inputting analog or digital data into a subsystem, computer system, or computer-implemented machine. In at least one embodiment, the process of acquiring, collecting, receiving, or inputting analog and digital data may be accomplished in various ways, such as receiving the data as a parameter of a function call or a call to an application programming interface. In some implementations, the process of acquiring, collecting, receiving, or inputting analog or digital data may be accomplished by transferring the data over a serial or parallel interface. In another implementation, the process of acquiring, collecting, receiving, or inputting analog or digital data may be accomplished by transferring the data from a providing entity to a collecting entity over a computer network. References may also be made to providing, outputting, transmitting, sending, or presenting analog or digital data. In various instances, the process of providing, outputting, transmitting, sending, or presenting analog or digital data may be accomplished by transferring the data as an input or output parameter of a function call, a parameter of an application programming interface, or an inter-process communication mechanism.

The above discussion provides example implementations of the described techniques, however, other architectures may be used to implement the described functionality and are intended to be within the scope of this disclosure. Additionally, as noted above, while a particular distribution of roles is defined for purposes of discussion, depending on the circumstances, various functions and roles may be distributed and divided in different ways.

Furthermore, although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the claimed subject matter in the appended claims is not necessarily limited to the particular features or acts described. Rather, the specific features and acts are disclosed as exemplary forms of implementing the claims.

The subject matter of the present disclosure has been specifically described herein to satisfy legal requirements. However, the description itself is not intended to limit the scope of the present disclosure. Rather, the inventors contemplate that the claimed subject matter may be embodied in other ways, including different steps or combinations of steps similar to those described in this document, together with other current or future technologies. Furthermore, although the terms "step" and/or "block" may be used herein to imply different elements of the method employed, these terms should not be construed as implying any particular order between the various steps disclosed herein, unless and until the order of the individual steps is explicitly described.

Other variations are within the spirit of the present disclosure. Thus, while the disclosed techniques are susceptible to various modifications and alternative constructions, specific illustrative examples thereof are shown in the drawings and described above in detail. It is to be understood, however, that there is no intention to limit the disclosure to the particular form or forms disclosed, but on the contrary, the intention is to cover all modifications, alternative constructions, and equivalents falling within the spirit and scope of the present disclosure, as defined in the appended claims.

Claims (48)

a memory operable according to a first risk classification level;
and a circuitry operable according to a second risk classification level indicating a higher risk classification than the first risk classification level to determine an error detection code for data to be written to a first memory address in the memory, to determine a second memory address in the memory based at least in part on the first memory address, to store the data at the first memory address, and to store the error detection code at the second memory address. after the data is stored at the first memory address and the error detection code is stored at the second memory address;
2. The system of claim 1, wherein the circuitry retrieves the data from the first memory address, retrieves the error detection code from the second memory address, generates a check code based on the first memory address and the data retrieved from the first memory address, and generates a notification when the error detection code indicates that the data contains at least one error. The system of claim 2, wherein the error detection code indicates that the data contains the at least one error when the error detection code does not match the check code. The system of claim 2, wherein the circuitry obtains the data from the first memory address during a first memory access and obtains the error detection code from the second memory address during a second memory access. a first interface, the data being obtained from the first memory address via the first interface;
3. The system of claim 2, further comprising: a second interface, the error detection code being retrieved from the second memory address through the second interface in parallel with the first interface retrieving the data, the first interface being different from the second interface. The system of claim 4, wherein the circuitry generates a time delay between the first memory access and the second memory access. the memory includes a first subsection and a second subsection;
the first subsection includes the first memory address;
the second subsection includes the second memory address;
2. The system of claim 1, wherein the circuitry writes a new error detection code to each memory address in the second subsection during a boot procedure. The system of claim 1, wherein the circuitry determines the error detection code based on the first memory address and the data before the data is written to the first memory address. the circuit includes a first block and a second block;
the first block sends a write request to the second block, the write request including the data and the first memory address;
2. The system of claim 1, wherein the second block receives the write request, determines the error detection code, determines the second memory address, stores the data at the first memory address, and stores the error detection code at the second memory address. the first block includes a write timer that starts when the first block transmits the write request to the second block;
10. The system of claim 9, wherein the first block generates a write error when the write timer indicates that more than a predetermined time has elapsed before the first block receives a response from the memory. After the first block sends the write request,
the first block sends a read request to the second block for the data stored at the first memory address;
10. The system of claim 9, wherein the second block receives the read request, retrieves the data from the first memory address, retrieves the error detection code from the second memory address, and sends a notification to the first block when the second block determines that the error detection code indicates that the data contains the at least one error. the first block includes a read timer that starts when the first block sends the read request;
12. The system of claim 11, wherein the first block generates a read error when the read timer indicates that more than a predetermined time has elapsed before the first block receives the data. The system of claim 1, wherein the circuitry stores the data at the first memory address during a first memory access and stores the error detection code at the second memory address during a second memory access. The system of claim 13, wherein the circuitry generates a first time delay between the first memory access and the second memory access. The system of claim 1, which is present on a continuous semiconductor material. The system of claim 15, which is implemented as part of a system-on-chip ("SoC") for an automotive vehicle. The system of claim 1, wherein the first risk classification level and the second risk classification level are each an Automotive Safety Level ("ASIL"). The system of claim 1, wherein the error detection code is a cyclic redundancy check code or an error correction code. a memory operating within a first risk classification level, the memory including a separated memory region including a first memory address for storing data and a second memory address for storing an error detection code;
and a circuitry operating within a second risk classification level indicating a higher level of risk than the first risk classification level, the circuitry retrieving the data from the first memory address, retrieving the error detection code from the second memory address, and generating a notification when the error detection code indicates that the data contains at least one error. 20. The system of claim 19, wherein the circuit generates a check code based on the first memory address and the data obtained from the first memory address, and when the error detection code does not match the check code, the error detection code indicates that the data contains the at least one error. the circuit includes a first block and a second block;
the first block sends a read request to the second block for the data stored at the first memory address;
20. The system of claim 19, wherein the second block receives the read request, retrieves the data, retrieves the error detection code, and generates the notification when the error detection code indicates that the data contains the at least one error. 22. The system of claim 21, wherein the first block includes a read timer that starts when the first block sends the read request, and the first block generates an error when the read timer indicates that more than a predetermined time has elapsed before the first block receives the data. before the first block sends the read request;
the first block transmits the data and the first memory address to the second block;
22. The system of claim 21, wherein the second block determines the error detection code, determines the second memory address, stores the data at the first memory address, and stores the error detection code at the second memory address. the first block includes a write timer that starts when the first block transmits the data and the first memory address to the second block;
24. The system of claim 23, wherein the first block generates a write error when the write timer indicates that more than a first predetermined time has elapsed before the first block receives a response from the memory. 25. The system of claim 24, wherein the first block includes a read timer that starts when the first block sends the read request, and the first block generates a read error when the read timer indicates that more than a second predetermined time has elapsed before the first block receives the data from the memory. 20. The system of claim 19, wherein the circuitry obtains the data from the first memory address during a first memory access and obtains the error detection code from the second memory address during a second memory access. The system of claim 26, wherein the circuitry generates a time delay between the first memory access and the second memory access. The system of claim 19, wherein the circuitry writes the error detection code to the second memory address during a boot procedure. The system of claim 19, which is on a continuous semiconductor material. The system of claim 29, which is implemented as part of a system-on-chip ("SoC") for an automotive vehicle. 20. The system of claim 19, wherein the first risk level and the second risk level are each an Automotive Safety Level ("ASIL"). The system of claim 19, wherein the error detection code is a cyclic redundancy check code or an error correction code. 1. A method performed by a circuit operating at a first risk classification level, comprising:
determining an error detection code for data to be written to a first memory address in a memory operating at a second risk classification level indicating a lower level of risk than the first risk classification level;
determining a second memory address within the memory based at least in part on the first memory address;
storing the data at the first memory address and storing the error detection code at the second memory address. retrieving the data from the first memory address after the data has been stored at the first memory address;
after the error detection code is stored in the second memory address, obtaining the error detection code from the second memory address;
generating a check code based on the first memory address and the data obtained from the first memory address;
34. The method of claim 33, further comprising the step of: generating a notification when the check code indicates that the data contains at least one error. the error detection code is generated based on the first memory address and the data before the data is stored at the first memory address;
35. The method of claim 34, wherein the check code indicates that the data contains the at least one error when the check code does not match the error detection code. the memory includes a first subsection and a second subsection, the first subsection includes the first memory address and the second subsection includes the second memory address, the method comprising:
34. The method of claim 33, further comprising the step of writing a new error detection code to each memory address in the second subsection during a boot procedure. 1. A method performed by a circuit operating at a first risk classification level, comprising:
obtaining data from a first memory address of a memory operating at a second risk classification level indicating a lower level of risk than the first risk classification level;
determining a second memory address within the memory based at least in part on the first memory address;
obtaining an error detection code from the second memory address;
generating a notification when the error detection code indicates that the data contains at least one error. generating a check code based on the first memory address and the data obtained from the first memory address;
determining whether the check code matches the error detection code, the error detection code indicating that the data contains the at least one error when the error detection code does not match the check code;
38. The method of claim 37, further comprising: The circuitry obtains the data from the first memory address during a first memory access, and the circuitry obtains the error detection code from the second memory address during a second memory access, and the method further comprises:
38. The method of claim 37, further comprising the step of: creating a time delay between the first memory access and the second memory access. The circuit includes a first block and a second block, and the method includes:
sending, by the first block, a read request to the second block for the data stored at the first memory address;
38. The method of claim 37, further comprising: receiving the read request by the second block, the second block obtaining the data, obtaining the error detection code, and generating the notification when the error detection code indicates that the data contains the at least one error. A read timer is started when the first block sends the read request, and the method further comprises:
41. The method of claim 40, further comprising generating a read error by the first block when the read timer indicates that more than a predetermined time has elapsed before the first block receives the data. sending a write request by the first block to the second block before the first block sends the read request, the write request including the data and the first memory address;
determining, by the second block, the error detection code before the first block sends the read request;
determining, by the second block, the second memory address before the first block sends the read request;
41. The method of claim 40, further comprising the step of causing the second block to store the data at the first memory address and store the error detection code in the second memory before the first block sends the read request. A write timer is started when the first block sends the write request, and the method further comprises:
43. The method of claim 42, further comprising generating a write error by the first block when the write timer indicates that more than a first predetermined time has elapsed before the first block receives a response from the memory. A read timer is started when the first block sends the read request, and the method further comprises:
44. The method of claim 43, further comprising generating a read error by the first block when the read timer indicates that more than a second predetermined time has elapsed before the first block receives the data. the second block stores the data at the first memory address during a first memory access, and the second block stores the error detection code at the second memory address during a second memory access, the method further comprising:
43. The method of claim 42, further comprising the step of: creating a time delay between the first memory access and the second memory access. The method of claim 37, further comprising writing the error detection code to the second memory address during a boot procedure. 38. The method of claim 37, wherein the first risk classification level and the second risk classification level are each an Automotive Safety Level ("ASIL"). The method of claim 37, wherein the error detection code is a cyclic redundancy check code or an error correction code.