Search

WO-2026090772-A1 - CLOCK MONITOR MESSAGE SYNCHRONIZATION BETWEEN MAIN DOMAIN SAFETY MONITOR AND SAFETY ISLAND

WO2026090772A1WO 2026090772 A1WO2026090772 A1WO 2026090772A1WO-2026090772-A1

Abstract

A method for synchronizing communications between a safety island and a main domain safety monitor includes initiating a safety island booting procedure including loading data stored in memory outside the safety island. The method also includes determining whether a safety island mailbox is ready, after initiating the booting procedure. The method further includes waiting for the safety island mailbox to be ready in response to determining the safety island mailbox is not ready. The method still further includes transmitting a clock monitor message from the safety monitor to the safety island in response to determining the safety island mailbox is ready after waiting for the safety island mailbox to be ready.

Inventors

  • HU, Lianghong
  • V, Nagabhushan
  • JIANG, Zhe
  • VACA SANCHEZ, Cesar Antonio
  • GUDLUR, Dilip

Assignees

  • QUALCOMM INCORPORATED

Dates

Publication Date
20260507
Application Date
20241028

Claims (20)

  1. A method of synchronizing communications between a safety island and a main domain safety monitor, comprising: initiating a safety island booting procedure including loading data stored in memory outside the safety island; determining whether a safety island mailbox is ready, after initiating the booting procedure; waiting for the safety island mailbox to be ready in response to determining the safety island mailbox is not ready; and transmitting a clock monitor message from the safety monitor to the safety island in response to determining the safety island mailbox is ready after waiting for the safety island mailbox to be ready.
  2. The method of claim 1, further comprising unlocking additional safety monitor resource manager threads to process messages from other subsystems, prior to determining whether the safety island mailbox is ready.
  3. The method of claim 1, in which waiting for the safety island mailbox to be ready comprises repeatedly: checking for a mailbox status in response to arrival of a timer pulse; and blocking the transmitting of the clock monitor message until the mailbox status indicates the safety island mailbox is ready.
  4. The method of claim 3, in which waiting for the safety island mailbox to be ready further comprises: initializing a timer node; and configuring a timer pulse trigger cycle for the timer node.
  5. The method of claim 4, in which the timer pulse trigger cycle comprises one timer pulse every 25 milliseconds (ms) .
  6. The method of claim 1, in which the memory comprises double data rate (DDR) synchronous dynamic random access memory (SDRAM) .
  7. The method of claim 1, further comprising receiving a clock monitor request from a main domain subsystem before determining whether the safety island mailbox is ready.
  8. An apparatus for synchronizing communications between a safety island and a main domain safety monitor, comprising: at least one memory; and at least one processor coupled to the at least one memory, the at least one processor configured: to initiate a safety island booting procedure including loading data stored in memory outside the safety island; to determine whether a safety island mailbox is ready, after initiating the booting procedure; to wait for the safety island mailbox to be ready in response to determining the safety island mailbox is not ready; and to transmit a clock monitor message from the safety monitor to the safety island in response to determining the safety island mailbox is ready after waiting for the safety island mailbox to be ready.
  9. The apparatus of claim 8, in which the at least one processor is further configured to unlock additional safety monitor resource manager threads to process messages from other subsystems, prior to determining whether the safety island mailbox is ready.
  10. The apparatus of claim 8, in which the at least one processor is further configured to repeatedly: check for a mailbox status in response to arrival of a timer pulse; and block the transmitting of the clock monitor message until the mailbox status indicates the safety island mailbox is ready.
  11. The apparatus of claim 10, in which the at least one processor is further configured: to initialize a timer node; and to configure a timer pulse trigger cycle for the timer node.
  12. The apparatus of claim 11, in which the timer pulse trigger cycle comprises one timer pulse every 25 milliseconds (ms) .
  13. The apparatus of claim 8, in which the memory outside the safety island comprises double data rate (DDR) synchronous dynamic random access memory (SDRAM) .
  14. The apparatus of claim 8, in which the at least one processor is further configured to receive a clock monitor request from a main domain subsystem before determining whether the safety island mailbox is ready.
  15. A non-transitory computer-readable medium having program code recorded thereon, the program code executed by a processor and comprising: program code to initiate a safety island booting procedure including loading data stored in memory outside a safety island; program code to determine whether a safety island mailbox is ready, after initiating the booting procedure; program code to wait for the safety island mailbox to be ready in response to determining the safety island mailbox is not ready; and program code to transmit a clock monitor message from a safety monitor to the safety island in response to determining the safety island mailbox is ready.
  16. The non-transitory computer-readable medium of claim 15, in which the program code comprises unlocking additional safety monitor resource manager threads to process messages from other subsystems, prior to determining whether the safety island mailbox is ready.
  17. The non-transitory computer-readable medium of claim 15, in which the program code comprises program code to repeatedly: check for a mailbox status in response to arrival of a timer pulse; and block the transmitting of the clock monitor message until the mailbox status indicates the safety island mailbox is ready.
  18. The non-transitory computer-readable medium of claim 17, in which the program code comprises: program code to initialize a timer node; and program code to configure a timer pulse trigger cycle for the timer node.
  19. The non-transitory computer-readable medium of claim 18, in which the timer pulse trigger cycle comprises one timer pulse every 25 milliseconds (ms) .
  20. The non-transitory computer-readable medium of claim 15, in which the memory comprises double data rate (DDR) synchronous dynamic random access memory (SDRAM) .

Description

CLOCK MONITOR MESSAGE SYNCHRONIZATION BETWEEN MAIN DOMAIN SAFETY MONITOR AND SAFETY ISLAND FIELD OF THE DISCLOSURE Aspects of the present disclosure generally relate to computing devices, and more particularly to a method to improve clock monitor message synchronization between a main domain safety monitor and a safety island. BACKGROUND Functional safety is an aspect of computer systems design, particularly in automotive, aerospace, industrial automation, and medical device contexts. Functional safety includes implementing mechanisms to increase the likelihood that a system behaves predictably and safely in the presence of faults. Functional safety standards provide frameworks for the development, validation, and verification of safety systems. These standards include rigorous risk assessment, hazard analysis, and the use of redundant and diverse design techniques to mitigate potential hazards. Strategies for implementing functional safety involve built-in self-tests (BISTs) , safety integrity levels (SILs) , fail-safe and fail-operational modes, architectures including safety islands, and comprehensive safety case documentation to demonstrate that safety specifications are satisfied throughout the product lifecycle. In the automotive industry, vehicles are rated via an Automotive Safety Integrity Level (ASIL) rating system. ASIL ratings, ranging from ASIL-Ato ASIL-D, categorize the severity of potential hazards and the rigor specified to mitigate the hazards. ASIL-Arepresents the lowest safety integrity level and is awarded to systems implementing fewer safety measures, while ASIL-D signifies the highest safety integrity level and is awarded to systems implementing more stringent safety protocols. These ratings guide automotive development, validation, and verification processes to increase the likelihood that automotive systems can operate safely, even in the presence of faults. The ASIL framework encompasses risk assessment, hazard analysis, and the implementation of redundant and diverse safety mechanisms to prevent or mitigate failures. Deploying safety islands, which may monitor clock frequencies for  subsystems operating outside the safety island, is one technique for ensuring safety specifications are satisfied. SUMMARY In aspects of the present disclosure, a method for synchronizing communications between a safety island and a main domain safety monitor includes initiating a safety island booting procedure including loading data stored in memory outside the safety island. The method also includes determining whether a safety island mailbox is ready, after initiating the booting procedure. The method further includes waiting for the safety island mailbox to be ready in response to determining the safety island mailbox is not ready. The method still further includes transmitting a clock monitor message from the safety monitor to the safety island in response to determining the safety island mailbox is ready after waiting for the safety island mailbox to be ready. Other aspects of the present disclosure are directed to an apparatus. The apparatus has one or more memories and one or more processors coupled to the memory. The processor (s) is configured to initiate a safety island booting procedure including loading data stored in memory outside the safety island. The processor (s) is also further configured to determine whether a safety island mailbox is ready, after initiating the booting procedure. The processor (s) is further configured to wait for the safety island mailbox to be ready in response to determining the safety island mailbox is not ready. The processor (s) is still further configured to transmit a clock monitor message from the safety monitor to the safety island in response to determining the safety island mailbox is ready after waiting for the safety island mailbox to be ready. In other aspects of the present disclosure, a non-transitory computer-readable medium with program code recorded thereon is disclosed. The program code is executed by a processor and includes program code to initiate a safety island booting procedure including loading data stored in memory outside the safety island. The program code also includes program code to determine whether a safety island mailbox is ready, after initiating the booting procedure. The program code further includes program code to wait for the safety island mailbox to be ready in response to determining the safety island mailbox is not ready. The program code still further includes program code to transmit a clock monitor message from the safety monitor to  the safety island in response to determining the safety island mailbox is ready after waiting for the safety island mailbox to be ready. Additional features and advantages of the disclosure will be described below. It should be appreciated by those skilled in the art that this disclosure may be readily utilized as a basis for modifying or designing other structures for