Safety intended Re-configurable Automotive microcontroller with reduced boot-up time

Ashish Kumar Gupta, Shubhra Singh, Garima Jain (Freescale)

Existing Microcontrollers have multiple regulators for a single supply in an SoC. In these regulators generally one is the main regulator which has the maximum load taking capacity and has a smaller bandwidth and other regulators which can take small loads and have a quick response time are the auxiliary regulators. Partial power failure is a term which describes a situation in which for such an SoC where there are a number of regulators for one supply, atleast one of the regulators is working. These SoCs are usually scrapped in case of any partial power failure during production. This is turn affects the yield. These SoCs don’t have the fail safe mechanism through which they can work in case of a partial power failure.

This paper addresses these issues associated with partial power failures. It proposes a technique using which the user can get a basic warning that there is a failure and can also diagnose the problem, enhancing safety. Also the user can run small applications if needed. This can add Re-Configurability to the SoC and they can be used for low end functionalities. Additionally starting smaller system with Auxiliary regulator even before Main Regulator is up targets speeding up device boot up (Fig 3). Below are the main features of proposed design improvements:

• Starting system with Auxiliary regulator and seamlessly switching to main regulator.
• The proposed architecture provides infrastructure to support small low speed applications in case of failure of main regulator.
• In case of partial power failure (Main or Aux), a dead chip situation will not prevail and the customer gets the failure information.
• In case parts failed during production because of main regulator issues chip can be shipped as a low end device. This improves the yield.

Since the proposed architecture talks about running low speed applications with only one regulator the architecture has two logic domains based on which regulator needs to bring up what modules in the SoC.

The SoC can be divided into two logic domains:

• Reduced Logic Domain (RLD)
  Some logic can start functioning before and we can save time to do necessary configuration before coming out of Device Reset (RUN mode). In this mode most of the logic is clock gated in the live domain. This will ensure that there won’t be current surges during start-up.
• Enhanced Logic Domain (ELD)
  Rest of the logic, mainly high performance modules can reside in this domain. In case of full power up, when main regulator is UP, this domain along with RLD supports the full application.

The domains can be separated using switches (Refer Fig. 1). The Switch open/close protocol is as mentioned below:

• During power up all the switches are open.
• When POR_AUX_LV is released SW_Aux is closed (POR_AUX_LV is an indicator that VDD_LV AUX is above a certain threshold and can be used in the logic in the chip).
• With this the RLD starts to power up (the modules are enabled), and as soon as all but main regulator LVDs are released the system moves forward in phase sequence.
• Some logic can start functioning before the Main regulator comes alive and we can save time to do necessary configuration before coming out of Device Reset (entering the RUN mode). In this mode most of the logic is clock gated in live domain. This will ensure that there won’t be current surges during start-up.
• After some time, when POR_MAIN_LV is released (when VDD_LV MAIN crosses a certain safe threshold) then first SW_main is closed and then SW_xdomain is also closed.

Implementation of the Fail safe mechanism scheme (for safety) Refer Fig. 2

1. If there is permanent failure in the main voltage regulator, switches SW_main & SW_xdomain will remain open. Refer Fig. 5
   1. The device will boot-up with RLD only. Reduced application can be run in this case in lower frequency.
   2. If main regulator is not lifted and the timer expires then the chip starts uses the Auxiliary regulator. (Clock gating is removed for all logic working in RLD)
2. In case of failure of Auxiliary regulator, the switch SW_aux will not be closed, only when the Main regulator is up then SW_main & SW_xdomain will close and the complete SoC will run on the Main regulator. Refer Fig. 6 for a better understanding of the same.
   1. Full system will boot-up on main regulator in this case and so the concept of fast boot-up is not applicable in this case.

In both the above cases the indication/information of failure will be stored in status registers, to inform the customer of the same.

Modules that need to be in RL Domain are those without which Chip cannot boot or perform debug (perform the basic functionalities in an SoC). For example:

Clocking and reset modules, test/self-test related modules, Main processor + associated logic, basic Debug IP’s, Few Communication IP’s, Basic Safety IP’s, RAM’s, FLASH ROM, BAM, reduced IP set. Selectable Start Address for RLD only and Full Functionality DCF’s on the fly on detection of Main Regulator Failure. Also isolation is required for signals used in interactions between ELD to RLD

We can further reduce RLD logic by using Separate crossbars, AIPS, CGL etc for RLD and ELD. Also if safety is not important we can further reduce logic by putting multiple instances of MEMU, FCCU with reduced number of fault/errors to handle or can also remove them altogether.

Application use case examples:

If there is a failure in the Airbag because of chip not coming out of POR condition( POR_LV AUX and POR_LV MAIN both not lifted), it is not possible to detect if the chip has failed without the support of external component that can be used to watch the chip failure ,for example external watchdog to monitor chip out of reset condition, and this will in turn increase the Cost of overall system (Also if chip is not coming out of reset there is no indication of a failure occurrence). The design that we are proposing can start and some application can be run to register failure conditions and also to diagnose the failure as software can be executed with even a single regulator.

In ADAS system which provide various features like Lane Departure/Collision Warning, Pattern recognition, Feature extraction, Automatic Cruise Control, Pedestrian Protection, Headlights Control etc. we can use the bare minimal features so that the driver may get some sort of text and/or acoustical warning signals on certain conditions instead of displaying continuous images in TFT as was intended in full application or sample images at half or one-fourth speed and still provide some blur image and text warnings.

Fig1. Proposed Architecture for the SoC

Fig2. Fail safe mechanism scheme Flow chart

Fig3. Proof of saving on the Boot Up Time with auxiliary regulator

Fig4. Reduced bootup time figure with both regulators working

Fig5. SoC running on only the Auxiliary regulator , Main regulator faulty, SW_xdomain and SW_MAIN remain open

Fig6. SoC running on only the Main Regulator, the Auxiliary regulator is faulty and SW_AUX remains open