Moving vehicles into the software realm Page 12
AUGUST 2021
Automotive lidar slides down the cost curve Page 28
Powering EVs with silicon carbide Page 42
A SUPPLEMENT TO DESIGN WORLD
AUTONOMOUS & CONNECTED VEHICLES Cover FINAL — ACV HB 08-21.indd 1
7/30/21 3:32 PM
210625_AutoPLC_DW_US.indd 1
6/21/21 4:19 PM
EE-DW AutoHdbk K-Blog_CCAFH_EV_6-21p.indd 1
5/5/21 10:38 AM
AUTONOMOUS & CONNECTED VEHICLES
SAY GOODBYE TO CROSS-COUNTRY ROAD TRIPS OFFICIALS ESTIMATE it will cost $50 billion to field the chargers needed for the expected number of electric vehicles on U.S. roads by 2030. But it’s possible that spending every penny of this amount won’t prevent the extinction of the cross-country road trip. Here’s the logic behind that statement: It’s easy to find stories on the internet of people driving 3,000 miles from New York to Los Angeles in about three to five days. Those taking five days average about 600 miles a day and spend 10 to 12 hours behind the wheel at a stretch, gas stops included. Now consider that experience in an electric vehicle. Right now, the EV with the longest range is a version of the 2021 Tesla Model S, coming in at 387 miles. When out of juice, it pulls up to a V3 Tesla Supercharger and is at 100% charge about an hour later. Of course, the one-hour recharge time assumes there’s no one else in line. That may be a bad assumption when most cars on the road are EVs. Unlike gas pumps where the experience of three cars in line ahead of you is just annoying, three EVs ahead of you at a charger kills the afternoon. That
wait time may be OK for EV owners who can work in their office or sit at home while their car recharges. It is not OK for drivers cooling their heels at a turnpike rest stop. So much for covering 600 miles in a day. Those making a cross-country trip in this Tesla could easily end up spending half their travel time waiting at rest stops. Some pundits claim EVs in 2030 will be getting 600 miles per charge, but that’s speculative. Even if such ranges are available, they’ll likely be confined to high-end vehicles. Most EVs on the road in 2030 are more likely to have ranges closer to today’s Tesla Model S. And charge time isn’t likely to be the only logistical issue discouraging road trips. A turnpike rest stop today might have two dozen gas pumps. That’s fine when refueling takes five minutes but not when it takes an hour. It is not unreasonable to expect rest stops to host double or triple that number of recharging stations. But on that scale, grid capacity may become problematic. Consider that top-end chargers today operate at 600 V and 50 A when going full blast. That means 30 of them sitting at a turnpike rest stop would draw close to a megawatt at full capacity. That amount is equivalent to the peak load of a U.S. suburb. So it’s possible the average rest stop won’t
be able to power all its EV chargers during times of peak grid load. Now suppose an acre of PV panels surrounding the rest stop helps handle the load. An acre of solar panels provides an average of 1 MWh per day. Back-ofthe-envelope calculations show a solar installation that size can simultaneously power only about five superchargers, but only when the sun shines. These factors combined make a long road trip in an EV look more like a nightmare than an adventure. Perhaps trips in hydrogen-powered fuel-cell vehicles will be more attractive. Hydrogen FCVs have their own logistical issues, but refueling time isn’t one of them. All in all, it’s easy to conclude that vehicles powered by internal combustion engines may be here a bit longer than pundits predict.
LEL AND TESCHLER • E XECUTIV E EDITOR 2
DESIGN WORLD — EE NETWORK
8 • 2021
eeworldonline.com | designworldonline.com
SEARCH MILLIONS OF PARTS FROM THOUSANDS OF SUPPLIERS
PRICING & AVAILABILITY
DATA SHEETS & SPECS
SOURCE & PURCHASE
Get real-time pricing and stock info from authorized distributors and manufacturers.
View and download product data sheets and technical specifications.
Compare options from suppliers and buy direct from distributors and manufacturers.
ABOUT DESIGNFAST
DesignFast is a search engine for finding engineering components and products. With DesignFast, engineers and sourcing professionals can quickly search for products, compare prices, check stock, view data sheets and go direct to the supplier for purchase.
HOW DOES IT WORK?
DesignFast aggregates product data from thousands of suppliers and distributors and makes it available for searching. DesignFast provides pricing, availability and product data sheets for free download.
designfast.com
DESIGN WORLD FOLLOW THE WHOLE TEAM ON TWITTER @DESIGNWORLD
EDITORIAL VP, Editorial Director Paul J. Heney pheney@wtwhmedia.com @wtwh_paulheney Senior Contributing Editor Leslie Langnau llangnau@wtwhmedia.com @dw_3Dprinting Executive Editor Leland Teschler lteschler@wtwhmedia.com @dw_LeeTeschler Senior Editor Aimee Kalnoskas akalnoskas@wtwhmedia.com @eeworld_aimee Editor Martin Rowe mrowe@wtwhmedia.com @measurementblue Executive Editor Lisa Eitel leitel@wtwhmedia.com @dw_LisaEitel Senior Editor Miles Budimir mbudimir@wtwhmedia.com @dw_Motion Senior Editor Mary Gannon mgannon@wtwhmedia.com @dw_MaryGannon Associate Editor Mike Santora msantora@wtwhmedia.com @dw_MikeSantora
FINANCE
CREATIVE SERVICES & PRINT PRODUCTION VP, Creative Services Mark Rook mrook@wtwhmedia.com @wtwh_graphics Art Director Matthew Claney mclaney@wtwhmedia.com @wtwh_designer Graphic Designer Allison Washko awashko@wtwhmedia.com @wtwh_allison
Graphic Designer Mariel Evans mevans@wtwhmedia.com @wtwh_mariel Director, Audience Development Bruce Sprague bsprague@wtwhmedia.com
IN-PERSON EVENTS Events Manager Jen Osborne jkolasky@wtwhmedia.com @wtwh_Jen Event Marketing Specialist Olivia Zemanek ozemanek@wtwhmedia.com
VIDEOGRAPHY SERVICES Video Manager Bradley Voyten bvoyten@wtwhmedia.com @bv10wtwh Videographer Garrett McCafferty gmccafferty@wtwhmedia.com
Controller Brian Korsberg bkorsberg@wtwhmedia.com
DESIGN WORLD — EE NETWORK
ONLINE DEVELOPMENT & PRODUCTION
VP, Digital Marketing Virginia Goulding vgoulding@wtwhmedia.com @wtwh_virginia
Web Development Manager B. David Miyares dmiyares@wtwhmedia.com @wtwh_WebDave
Digital Marketing Specialist Sean Kwiatkowski skwiatkowski@wtwhmedia.com
Senior Digital Media Manager Patrick Curran pcurran@wtwhmedia.com @wtwhseopatrick
Digital Production/ Marketing Designer Samantha King sking@wtwhmedia.com
Front End Developer Melissa Annand mannand@wtwhmedia.com
Graphic Designer Hannah Bragg hbragg@wtwhmedia.com
Software Engineer David Bozentka dbozentka@wtwhmedia.com
Senior Manager Webinars/ Virtual Events Lisa Rosen lrosen@wtwhmedia.com
Digital Production Manager Reggie Hall rhall@wtwhmedia.com
Webinar Coordinator Halle Kirsh hkirsh@wtwhmedia.com
Digital Production Specialist Nicole Lender nlender@wtwhmedia.com
Webinar Coordinator Kim Dorsey kdorsey@wtwhmedia.com
Digital Production Specialist Elise Ondak eondak@wtwhmedia.com
PRODUCTION SERVICES
Digital Production Specialist Nicole Johnson njohnson@wtwhmedia.com
Customer Service Manager Stephanie Hulett shulett@wtwhmedia.com Customer Service Representative Tracy Powers tpowers@wtwhmedia.com
VP, Strategic Initiatives Jay Hopper jhopper@wtwhmedia.com
Customer Service Representative JoAnn Martin jmartin@wtwhmedia.com Customer Service Representative Renee Massey-Linston renee@wtwhmedia.com
2011- 2019
2014 Winner
2014 - 2016
Customer Service Representative Cathy Anthony-Gudel canthonygudel@wtwhmedia.com
Accounts Receivable Specialist Jamila Milton jmilton@wtwhmedia.com
4
MARKETING
8 • 2021
eeworldonline.com
|
designworldonline.com
CONTENTS AUTONOMOUS & CONNECTED VEHICLES HANDBOOK • AUGUST 2021
02
SAY GOODBYE TO CROSS-COUNTRY ROAD TRIPS
06
RTK NAVIGATION TECHNOLOGIES FOR AUTONOMOUS VEHICLES
REAL-TIME KINEMATIC POSITIONING BRINGS HIGH-ACCURACY TO THE AUTONOMOUS VEHICLE INDUSTRY WITHOUT BREAKING THE BANK.
10
LOW-POWER WI-FI ENABLES NEXT-GENERATION VEHICLE THEFT-PREVENTION TECHNOLOGY
THIEVES MAY SOON LEARN THAT IT DOESN’T PAY TO MESS WITH A CONNECTED VEHICLE.
12
MOVING VEHICLES INTO THE SOFTWARE REALM
NEW PROCESSORS HAVE BEEN DEVELOPED WITH VEHICLE SAFETY AND CONNECTIVITY IN MIND.
14
SENSOR-REALISTIC SIMULATION IN REAL TIME
ADVANCED SENSOR SIMULATION TECHNIQUES CAN BE USED TO VALIDATE FUNCTIONS FOR AUTONOMOUS DRIVING THROUGHOUT THE DEVELOPMENT PROCESS.
17
BATTERY PACK PROTECTION KEEPS EVS ON THE ROAD
A FEW BEST PRACTICES FOR HANDLING TRANSIENTS AND OVER-CURRENTS HELP MAKE ELECTRONIC DRIVETRAINS MORE RELIABLE.
20
BASICS OF TIME-SYNCHRONIZED HARDWARE-IN-THE LOOP TESTING
A SPECIAL KIND OF HIL TESTING ACCELERATES THE DEVELOPMENT OF ADVANCED DRIVER- ASSISTANCE SYSTEMS.
24
NAVIGATING IN-VEHICLE NETWORK COMMUNICATIONS SECURELY
HARDWARE SECURITY MODULES HELP THWART HACKERS BENT ON GETTING CONTROL OF EVS.
eeworldonline.com | designworldonline.com
28
AUTOMOTIVE LIDAR SLIDES DOWN THE COST CURVE
IT LOOKS AS THOUGH TECHNIQUES NOW EMERGING FROM RESEARCH LABS WILL HELP MAKE IT AFFORDABLE FOR NEXT-GENERATION AUTONOMOUS VEHICLES TO KEEP OUT OF HARM’S WAY.
32
ASSESSING SAFETY AND PERFORMANCE IN CONNECTED CARS
TESTING AND CERTIFICATION FOR VEHICLE AND INFRASTRUCTURE DEVICES ENSURE SOFTWARE AND SYSTEMS WILL PERFORM AS ADVERTISED.
34
CONTACTLESS SENSING IN THREE DIMENSIONS FOR ADAS
NO-TOUCH SENSOR ICs THAT MEASURE MAGNETIC FIELDS IN THE X, Y, AND Z PLANES HAVE BEEN OPTIMIZED FOR USE IN VEHICULAR APPLICATIONS.
38
NIST TAKES AIM AT POSITIONING SYSTEM SECURITY
A NEW REPORT GIVES GUIDANCE ON CYBERSECURITY F OR POSITIONING, NAVIGATION, AND TIMING SERVICES.
42
POWERING EVS WITH SILICON CARBIDE
A FLYBACK CONVERTER/ISOLATED-GATE-DRIVER COMBO REDUCES THE COST AND COMPLEXITY OF IMPLEMENTING SiC FET DESIGNS IN EV SYSTEMS.
46
MEMORY AND FUNCTIONAL SAFETY IN AUTONOMOUS VEHICLES
AS SOFTWARE AND ITS ASSOCIATED MEMORY FOOTPRINT CONTINUE TO EXPAND IN VEHICLES, AUTOMOTIVE SYSTEM DESIGNERS NEED A DEEPER UNDERSTANDING OF DRAM AND ITS IMPACT.
8 • 2021
DESIGN WORLD — EE NETWORK
5
AUTONOMOUS & CONNECTED VEHICLES
HIGH-PRECISION NAVIGATION EQUIPMENT MUST FUNCTION WELL IN A WIDE RANGE OF HARSH ENVIRONMENTS.
RTK NAVIGATION TECHNOLOGIES FOR AUTONOMOUS VEHICLES REAL-TIME KINEMATIC POSITIONING BRINGS HIGH-ACCURACY TO THE AUTONOMOUS VEHICLE INDUSTRY WITHOUT BREAKING THE BANK. JAMES FENNELLY • ACEINNA INC.
IT’S NO SECRET THAT A
variety of technologies must
work together smoothly and reliably to make autonomous vehicles possible. The technology mix includes inertial measurement units (IMUs), GPS/GNSS, radar, lidar, IR and vision sensors, as well as real-time kinematics (RTK) for reliable absolute position accuracy within inches. In particular, the challenge of precision navigation is considered so important that Darpa has active development efforts to improve navigation and determine exact location with limited or no GPS/GNSS coverage. Precision navigation is the ability of autonomous vehicles to continuously know their absolute and relative position in 3D space, with high levels of high accuracy, repeatability, and confidence. For safe and efficient operation, precise position data must be quickly available, be unrestricted by geography and be economical.
6
DESIGN WORLD — EE NETWORK
8 • 2021
Numerous industries require reliable methods of precise navigation, localization, and micro-positioning. For example, agriculture increasingly uses autonomous or semi-autonomous equipment in cultivating and harvesting the world’s food supply. The recent global pandemic exposed the importance of warehousing, freight and inventory management. The robotics in these industries are only as effective as their ability to accurately position and navigate themselves. Autonomous capability in long-haul and last mile delivery also requires precise navigation. High-precision solutions currently are used in applications such as satellite navigation, commercial aircraft and submarines. However, this equipment comes at a premium ($100s of thousands) and is relatively large (loaf of bread). eeworldonline.com
|
designworldonline.com
NAVIGATION TECHNOLOGY COMPARISON OF IMU/INS APPLICATION, PERFORMANCE, SIZE AND COST
However, recent developments in IMU technology have progressively reduced both size and cost. Hardware has evolved from bulky gimbal gyroscopes to fiber-optic gyroscopes (FOG) and tiny micro electromechanical systems (MEMS) sensors. The success of precision navigation depends on developers and manufacturers bringing down cost and size without sacrificing IMU performance. The resulting technologies enable advances in the position reckoning of drones, agricultural robotics, self-driving cars, and smartphones.
INERTIAL NAVIGATION SYSTEMS AND SENSORS RANGE WIDELY IN PERFORMANCE, SIZE AND COST. THOUGH ORIGINALLY DEVELOPED FOR HIGHLY SPECIALIZED SITUATIONS, ALL CAN NOW BE FOUND IN AUTOMOTIVE APPLICATIONS.
TODAY’S LIMITATIONS OF GPS/GNSS Atmospheric GPS interference and outdated GPS satellite orbital path data can be corrected to get a best-possible calculated position accuracy of around one meter. Multi-path errors in urban areas and poor GPS coverage in others boosts the receiver’s margin of error. This margin of error reduces road-level accuracy, i.e. a vehicle’s knowledge about which road it’s
on. These difficulties highlight the reason for developing higher-precision navigation which will tell vehicles which lane they’re in rather than which road they’re on. Safe operation in a complex, dynamic environment with minimal human intervention requires lane-level or centimeter-level position accuracy. Autonomous and semi-autonomous vehicles use a suite of perception sensors and navigation equipment to maneuver. The limitations of GPS and inertial navigation systems force vehicle systems to boost positioning accuracy via additional means. For example, image and depth data from lidar and cameras, combined with high-definition maps having centimeterlevel accuracy, can be used to calculate vehicle position in real time and with reference to known landmarks and static objects. HD maps contain massive amounts of data including road- and lane-level details and semantics, dynamic
A WIDE VARIET Y OF SENSORS COMBINE DATA TO PROVIDE HIGHLY ACCURATE NAVIGATION.
eeworldonline.com | designworldonline.com
8 • 2021
DESIGN WORLD — EE NETWORK
7
AUTONOMOUS & CONNECTED VEHICLES
REAL-TIME KINEMATIC SYSTEMS CAN GREATLY IMPROVE THE ACCURACY OF LOCATION DATA PROVIDED BY THE GNSS (GLOBAL NAVIGATION SATELLITE SYSTEMS).
behavioral data, traffic data, and much more. Autonomous vehicles make maneuvering decisions by evaluating camera images and/or 3D point clouds cross-referenced to HD map data. Though this method of maneuvering is effective, it has its challenges. HD maps are data intensive, expensive to generate at scale, and must be constantly updated. Moreover, perception sensors are prone to environmental interference, which compromises the quality of their data. The rising number of automated test vehicles on the road generate larger data sets of real-world driving scenarios, and the predictive modeling for localization is becoming more robust. However, all this modeling demands expensive sensors, significant computational power, sophisticated algorithms, high operational maintenance, and terabytes of data collection and processing.
RTK IMPROVES LOCALIZATION The incorporation of real-time kinematics (RTK) into the navigation scheme can boost the accuracy of localization techniques, that is, determining the vehicle’s precise position on the map . RTK is both a technique and a service that corrects errors and ambiguities in GPS/GNSS data to enable centimeter-level accuracy. RTK works with a network of fixed base stations that transmits corrected location data wirelessly to moving vehicles. Each vehicle then integrates this data in its positioning engine to calculate a position in real time. Through RTK, navigation systems can realize accuracy up to 1 cm + 1 ppm of baseline length to the base station. Additionally, this accuracy is available without any additional sensor fusion. More specifically, RTK measures the phase of the GPS carrier wave. It uses a single reference station or interpolated virtual station and a rover to provide real-time corrections and realize centimeter-level accuracies. The base station transmits correction data to the rover. The range to a satellite is essentially calculated by multiplying the carrier wavelength by the number of whole cycles between the satellite and the rover and adding the phase difference. Errors arise because GPS signals may shift in phase by one or more cycles during their journey from the satellite to the receiver. This effect results in an error equal to the error in the estimated number of cycles multiplied by the wavelength, which is 19 cm for the L1 (the first) GPS signal. The error can be reduced with sophisticated statistical methods that compare the measurements from
8
DESIGN WORLD — EE NETWORK
8 • 2021
the coarse acquisition (C/A) code that modulates the GPS carrier and by comparing the resulting ranges between multiple satellites. A great deal of position improvement is available through this technique. For instance, the C/A code in the L1 signal changes phase at 1.023 MHz, but the L1 carrier itself is 1,575.42 MHz, thus changing phase over a thousand times more often. A ±1% error in L1 carrier-phase measurement thus corresponds to a ±1.9-mm error in estimation. In practice, RTK systems use a single base-station receiver and several mobile units. The base station re-broadcasts the phase of the GPS carrier it observes, and the mobile units compare their own phase measurements with that from the base station. This allows the units to calculate their relative position to within millimeters, although their absolute position is accurate only to the same accuracy as the computed position of the base station. The typical nominal accuracy for these systems is 1 cm ± 2 ppm horizontally and 2 cm ± 2 ppm vertically. The process of integrating RTK into a sensor fusion navigation architecture is relatively straightforward. RTK does require connectivity and GNSS coverage to enable the most precise navigation. But in the event of an outage, the vehicle can employ dead reckoning and a highperformance IMU for continued safe operation. RTK bolsters visual localization methodologies by providing precise absolute position, as well as confidence intervals for each position datum. The localization engine uses this information to reduce ambiguities and validate temporal and contextual estimates. Inertial sensors are essential for measuring motion, and GNSS provides valuable contextual awareness about location in 3D space. Adding RTK increases accuracy, reliability and integrity. Vision sensors can enable depth perception and allow the vehicle to predict what is ahead. Data from these various sensors and technologies combine for navigational planning and decision making, to provide outcomes that are safe, precise, and predictable.
REFERENCES ACEINNA, INC., W W W.ACEINNA.COM
eeworldonline.com
|
designworldonline.com
EE Classroom is a syndicated content resource for electronic engineers looking for need-to-know information about various electronic components and systems. Curated by EE World’s editorial team, this digital content hub includes valuable technology background and insights, key trends affecting your designs of today and tomorrow, and frequently asked questions relating to a wide range of important electronic engineering topics. Topics include: • • • • •
Power electronics Embedded computing Test & measurement Sensors Connectivity
To view free educational content, go to www.eeworldonline.com/learning-center
AUTONOMOUS & CONNECTED VEHICLES
LOW-POWER WI-FI ENABLES NEXT-GENERATION VEHICLE THEFT-PREVENTION TECHNOLOGY THIEVES MAY SOON LEARN THAT IT DOESN’T PAY TO MESS WITH A CONNECTED VEHICLE.
MORE THAN THREE MILLION CARS are sold in the U.S. annually, and over 700,000 are stolen. Unfortunately for car owners, anti-theft technologies have not kept pace with modern developments, creating a gaping hole in the automotive theft and recovery market. Conventional anti-theft products have been expensive, complex to install, and difficult to use. They often involve modifications to the vehicle wiring and a time-intensive installation. Moreover, the process of tracking and finding stolen vehicles has generally required specialty tools used exclusively by law enforcement. There is another challenge facing car dealers responsible for managing hundreds or thousands of vehicles across massive car lots: It’s hard to imagine a more difficult commodity to keep track of than vehicles which, by design, tend to move around. Salespeople must be able to locate specific cars at a moment’s notice. And it’s challenging to sell something if you don’t know where it is. Vehicle theft prevention and asset tracking are widely recognized problems. Recently, a new approach has emerged for both dilemmas. Kudelski IoT, part of The Kudelski Group, has a long track record of asset protection. Kudelski IoT’s RecovR lot management and theft recovery system brings the IoT to bear on both asset tracking and theft prevention while pulling off the elusive combination of low energy consumption with cellular, BLE and Wi-Fi networking. This approach is both a step forward for theft recovery and promotes sales velocity for dealers – first by making inventory more manageable, but also by being a no-cost, no-risk proposition. Kudelski’s system is easy to install, simple for salespeople to demo to customers, and easy to remove if the customer doesn’t want it. Wireless asset tracking isn’t much good unless it’s part of a network. The problem is obviously coverage. A stolen car – or one parked on a massive sales lot – is likely to pass through several different indoor and outdoor locations. By leveraging Wi-Fi and BLE in addition to cellular and GPS connectivity, Silicon Labs RS9116 Wi-Fi and Bluetooth transceiver modules allow RecovR to track and locate
10
DESIGN WORLD — EE NETWORK
8 • 2021
MIKE NORRIS • SILICON LABS
vehicles in multiple ways: via GPS and cellular for locations with good coverage and line of sight, BLE and Wi-Fi for indoor tracking where Bluetooth beacons or Wi-Fi SSIDs are present. These chips can run for five years on a single battery. This ultralow power consumption – atypical among Wi-Fi transceivers – is accomplished by engineering an optimum balance between the device’s listening and standby modes, which are measured at 14 mA and less than 10 µA respectively. The process or tracking cars with the RecovR system works this way: For each new car arriving at the THE KUDELSKI IoT NEXTdealership, a RecovR GENERATION DEALERSHIP LOT device is scanned and MANAGEMENT & CONSUMER associated with the THEFT RECOVERY DEVICE EMPLOYS car’s VIN number. Then THE SILICON L ABS RS9116 RF the RecovR is hidden in MODULE. THE DEVICE IS SECRETED IN A VEHICLE AND NEEDN’T BE CONNECTED TO THE VEHICLE BAT TERY. IT OFFERS A FIVE-YEAR BAT TERY LIFE, CONTAINS MULTIPLE POSITIONING, COMMUNICATION AND SENSOR TECHNOLOGIES, AND IS FULLY INTEGRATED WITH CLOUD AND MOBILE APPLICATIONS.
eeworldonline.com
|
designworldonline.com
VEHICLE THEFT PREVENTION
B00 MODULE BLOCK DIAGRAM WITH AND WITHOUT EXTERNAL FL ASH
RS9116 CONNECTIVITY HARDWARE BLOCK DIAGRAM
THE SILICON L ABS RS9116 MODULE USED IN THE RECOVR SYSTEM PROVIDES MULTI-PROTOCOL WIRELESS CONNECTIVIT Y INCLUDING 802.11 B/G/N (2.4GHZ), 802.11J, DUAL-MODE BLUETOOTH 5. THE MODULES FEATURE HIGH THROUGHPUT, EXTENDED RANGE WITH POWER-OPTIMIZED PERFORMANCE. THE MODULES ARE ALSO FCC, IC, AND ETSI/CE CERTIFIED.
eeworldonline.com | designworldonline.com
the car somewhere. The device is about the size of a cell phone, so installation, start to finish, takes less than a minute. The dealer knows exactly where that car is and can access that information via desktop or mobile web portals. Ditto for the car buyer who can use a simple app to locate their car. If the vehicle is stolen, the owner can share the location data with the police – statistically speaking, the faster a stolen car can be recovered, the less likely it will be damaged. Because it’s wireless and small, RecovR can be placed anywhere, an important distinction from conventional methods. The fact that RecovR works strictly from a battery provides quite a bit of flexibility. In contrast, there’s only so many places wired systems can be placed in a vehicle and still be hardwired to the car battery, so they become easy targets for thieves to disable. Another secondary benefit to the wireless aspect is that electric vehicles (EVs) have much more sophisticated electronics systems than ICE vehicles. And adding an aftermarket, wired anti-theft measure could invalidate the service agreement. The Wi-Fi RS9116 is available as an SoC or as a pre-certified, prepackaged module. It was the module version which helped Kudelski IoT speed up its development process. The module’s ability to consistently draw only a small amount of power while remaining connected to a Wi-Fi or Bluetooth network dramatically improves power optimization. Other methods typically need more energy to do the same job. Most devices that rely on Wi-Fi and Bluetooth must be charged frequently, daily in some cases. Some devices can mitigate this by connecting intermittently, but this approach isn’t particularly useful for real-time asset tracking. Wi-Fi is increasingly becoming accessible for IoT developers thanks to advances in energy efficiency for RF devices. By creating a multiprotocol solution using multiple radios, RecovR can connect to the strongest network available in a given area, ensuring nationwide coverage. Incorporation of multiple protocols makes it possible for RecovR to communicate over large areas while providing precise location data indoors or in other areas where cellular or GPS connectivity is not available. In a nutshell, Kudelski IoT bucked the long-time status quo of vehicle tracking with wired, costly devices managed by regional police departments. Its wireless tracking battery powered device entails little upfront cost for car dealers and brings immediate value for consumers. Low-power Wi-Fi and Bluetooth are here to stay in the automotive sector, and it’s likely we’ll see additional innovative deployments in other markets.
REFERENCES SILICON L ABS, W W W.SIL ABS.COM KUDELSKI, W W W.KUDELSKI-IOT.COM/SOLUTIONS/ASSET-TRACKING
8 • 2021
DESIGN WORLD — EE NETWORK
11
AUTONOMOUS & CONNECTED VEHICLES
MOVING VEHICLES INTO THE SOFTWARE REALM NEW PROCESSORS HAVE BEEN DEVELOPED WITH VEHICLE SAFETY AND CONNECTIVITY IN MIND. DAVID MAPLE S TEXAS INSTRUMENTS
THE TREND towards autonomous driving, electrification and connectivity to the cloud is making software a priority. That’s why automotive designers are reworking the architecture of modern-day vehicles and migrating toward a software-defined car. Many systems within cars today are a collection of electronic control units (ECUs) with independent functions. These ECUs communicate through a traditional Controller Area Network, Local Interconnect Network, and other low-bandwidth networks. ECUs are also grouped into functional domains such as powertrain control. The hundred or more ECUs in high-end vehicles makes it impractical to implement next-generation functions into each one, however. To work around this limitation, one approach is to replace ECUs with several computing platforms. For example, the vehicle architecture could employ one computing platform to control the features of the interior cabin such as infotainment or the instrument cluster. Another computing platform controls the
12
DESIGN WORLD — EE NETWORK
8 • 2021
motion of the vehicle. A software-defined vehicle architecture enables a variety of benefits across the functional domains of the car, including simpler development and deployment of new features, more efficient communication within the vehicle, and access to cloud computing through edge processing. One of the limitations of a vehicle architecture centered around ECUs is the complexity involved in adding new functions and capabilities. The process of adding features to an existing system can be complicated, slow and error-prone. Aligning software across functional domains in the vehicle simplifies the updating of cars for maintenance and user features. A software-defined vehicle architecture groups functions and systems together into functional domains. Rather than treating individual ECUs or systems separately, OEMs can consider them as a single platform. Once OEMs have developed new features, software-defined vehicle architectures make it easier to add them. Traditionally, drivers purchase a vehicle with features that are fixed. The process of updating them is difficult and expensive. A software-defined eeworldonline.com
|
designworldonline.com
DRA821
SOFTWARE-DEFINED VEHICLES A FUNCTIONAL BLOCK DIAGRAM FOR THE DRA821. A SOLID BL ACK BOX INDICATES THE IP IS PART OF THE EXTENDED MCU (EMCU). A DASHED BL ACK BOX INDICATES THAT SOME INSTANCES OF THE IP ARE PRESENT IN THE EMCU AND SOME INSTANCES ARE PRESENT IN THE NON-EMCU PORTION OF THE MAIN DOMAIN.
vehicle architecture enables over-the-air (OTA) updates, or wireless delivery of software features. Instead of being a complex undertaking involving hundreds of ECUs, the updating process is much more straightforward. OEMs can provide a wide range of software services to customers and use these services as a revenue stream. With OTA updates, adding and updating features can be just as easy as adding features to a phone or tablet.
UPDATING WITH SOA In a software-defined vehicle, a service-oriented architecture (SOA) consists of loosely coupled services that communicate through simple, interoperable interfaces, typically over a network. In a vehicle, for example, the GPS functions might be made available via service calls over the in-vehicle network. Some benefits of an SOA include hardware independence, simplified testing, faster deployment and crossdiscipline application development. SOAs have a long history in other markets such as web services, software-as-a-service, and platform-as-a- service, better known as cloud computing. Another automotive example is that of an ECU specifically designed to provide tire pressure data. It is possible to replace the tire-pressure ECU or to integrate its tasks into a larger, multifunction ECU. Upstream applications use an abstract interface to communicate with an ECU, so changing an ECU or integrating tasks into another ECU via SOA doesn’t affect them. In the case of tire pressure, components of the tire pressure sensor system can be from different vendors or use different sensing technologies because tire pressure data is aggregated in a smaller ECU. Machine learning can help accomplish tasks such as driver assist and predictive maintenance. Machine learning is already widely used in industrial environments where the monitoring of machinery detects and helps anticipate faults. It is possible to integrate machine learning into the vehicle itself, but remote processing centers may provide additional machine-learning features. Another possibility is the use of remote data centers to train machine learning algorithms, then onboarding data to intelligent systems via OTA updates. The processors in a software-defined car require a great deal of compute power, high bandwidth communication, functional safety, and eeworldonline.com | designworldonline.com
security. Compute resources can be further split into those for real time and non-real time functions. The higher-level logic of an implemented feature (i.e. unlock the doors) is not time sensitive. An anti-lock braking system is time sensitive. The brakes must be modulated fast enough to avoid a skid. Non-realtime functions are typically executed in a HLOS based (high-level operating system) compute system similar to that available on a personal computer. Real- time functions execute in an RTOS-based (real time operating system) compute system. There is also a balance between vehicle features that require functional safety and security and features that don’t. For example, the TI DRA821 is designed with these features in mind. At the heart of the DRA821 is a dual-core ARM Cortex A72 cluster with enough processing power to execute all non-real time functions. Four integrated Cortex R5Fs sit alongside the main processor (A72 cluster) to execute the real-time functions. DRA821 integrates the latest security features in an integrated secure subsystem. Further, the device is functional-safety certified by a third-party assessor to the highest ASIL (Automotive Safety Integrity Level), ASIL-D. The DRA821 includes a variety of high-speed I/O, such as a four-port Gigabit TSN Ethernet switch, PCIe and USB3, and traditional automotive peripherals such as CAN-FD and UART/LIN. As safety is paramount in automotive applications, the DRA821 incorporates a range of safety features, including ECC on calculationcritical memories and internal databus, firewalls, self-test diagnostic tools, and error-signaling modules for capturing errors related to functional safety. The DRA821 also integrates a range of security features to protect from external attacks, including secure boot, cryptographic acceleration, trusted execution environment, secure storage, on-the-fly encryption, and a co-processor for security management. A software-defined car is well within the realm of possibility today. The use of software and machine learning systems helps better predict vehicle maintenance while also keeping passengers safe. Softwaredefined cars will fundamentally change how we see automotive technology, and the ability to move vehicles into the software realm allows planning for long-term vehicle updates.
REFERENCES DRA821 JACINTO PROCESSORS, HT TPS://W W W.TI.COM/LIT/DS/SYMLINK/DRA821U.PDF
8 • 2021
DESIGN WORLD — EE NETWORK
13
AUTONOMOUS & CONNECTED VEHICLES
SENSOR-REALISTIC SIMULATION IN REAL TIME CAIUS SEIGER, DR. GREGOR SIEVERS • DSPACE GMBH
ADVANCED SENSOR SIMULATION TECHNIQUES CAN BE USED TO VALIDATE FUNCTIONS FOR AUTONOMOUS DRIVING THROUGHOUT THE DEVELOPMENT PROCESS.
SENSOR-REALISTIC SIMULATION is a powerful way of validating sensor systems, which are an integral part of autonomous vehicles. Increasingly powerful computer systems make it possible to generate realistic sensor data in real time. This ability makes simulation efficient with several benefits for validating sensor control units. An important component for implementing autonomous driving according to SAE Level 5 involves capturing the vehicle environment via environment sensors. Manufacturers use different sensor types-such as cameras, radar, lidar, and ultrasonic sensors--for this purpose. Complex algorithms then merge the sensor data in high-performance processing units and use the results to make decisions. Thus it’s crucial to validate the algorithms for fusion and perception, and those for the overall system. Various validation methods are available. Test drives make it possible to validate the entire autonomous vehicle, but they cover only a few critical situations and are relatively expensive. An industry-proven method for the validation of driver assistance system algorithms is to play back recorded sensor data. For this method, a fleet of specially prepared vehicles is equipped with sensors. The vast volumes of data generated must be stored in powerful in-vehicle data logging systems and transferred to the cloud. The data is then evaluated, anonymized, tagged with terms for better retrieval, and labeled. The labeling is time-consuming and only partly automatable. The recorded data is then stored in a way making it usable for testing during the development process and for release tests. One problem: This storage involves a great deal of time and effort and does not allow for changes in the sensor setup. If the next generation of vehicles is equipped with new sensors, they’ll require more test
14
DESIGN WORLD — EE NETWORK
8 • 2021
ILLUSTRATION IN SRGB FORMAT. (SRGB IS A STANDARD RGB COLOR SPACE CREATED FOR USE ON MONITORS, PRINTERS, AND THE WEB. IT IS OFTEN THE DEFAULT COLOR SPACE FOR IMAGES THAT CONTAIN NO COLOR SPACE INFORMATION, ESPECIALLY IF THE IMAGE PIXELS ARE STORED IN 8-BIT INTEGERS PER COLOR CHANNEL.) THE COLOR OF EACH PIXEL IS CREATED FROM THE BASE COLORS RED, GREEN, AND BLUE. TO CREATE SUCH AN IMAGE, THE RAW DATA MUST PASS THROUGH VARIOUS PROCESSING STEPS. THE CAMERA DETECTORS, WHICH CONVERT ANALOG SIGNALS INTO DIGITAL, CAN DETECT ONLY LIGHT. TO GATHER INFORMATION ON THE COLOR SPECTRUM, THE DETECTORS ARE EQUIPPED WITH COLOR FILTERS THAT LET ONLY A SPECIFIC WAVELENGTH, AND THUS COLOR, PASS.
eeworldonline.com
|
designworldonline.com
DRIVING SIMULATION
ILLUSTRATION OF A HIGHWAY SCENE FROM A BLUE-GREENGREEN-RED IMAGE SENSOR (BAYER SENSOR) THAT CORRESPONDS TO THE RELEVANT RAW DATA FORMAT. THE DATA CAN THEN BE EDITED TO CREATE A HUMAN-READABLE FORMAT. IMPORTING AN SRGB IMAGE INTO AN ECU CAUSES AN ERROR IF THE INTERFACE IS DESIGNED FOR RAW DATA.
drives. Another drawback is that unforeseeable, rare events are difficult if not impossible to recreate. Software-in-the-loop (SIL) and hardware-in-the-loop (HIL) simulation make it possible to test critical traffic scenarios. They can run through a nearly infinite combination of parameters including weather conditions, lens effects, and fault simulation for sensors.
SENSOR-REALISTIC SIMULATION
must also be realistically generated for the sensor. A graphics card is used to compute the raw data in real time because it can process more data in parallel than the main processor. This fact becomes clear from a closer look at radar and lidar sensors, because their metrological computation requires complex ray tracing. For example, suppose radar sensor waves reflect back to the sensor via the guard rail and from another object. Here, the radar detects a ghost target and adds it to the detection list, though the object does not exist.
Simulation has obvious advantages: It lets users configure all relevant components from the vehicle and sensor parameters to the driving maneuvers. And tricky traffic scenarios can be safely reproduced. One of the main challenges of simulation is calculating the realistic sensor data in real time. For driver assistance systems, it is often sufficient to use sensor-independent object lists based on ground truth data (that is, data about the environment not from the vehicle sensors). The object lists are easy to extract from the traffic simulation. In contrast, autonomous vehicles process the raw data captured by a sensor front end in a central control unit. Calculation of the raw sensor data is much more timeconsuming because it is based on the physical properties of each sensor. The raw data format is different for each sensor. When inputting synthetic camera data, it is important to both create subjectively realistic images for the human user and to input the data at the right moment. The data
EX AMPLE SETUP FOR OPEN- AND CLOSED-LOOP HIL SIMUL ATION AND RAW DATA INJECTION.
eeworldonline.com | designworldonline.com
8 • 2021
DESIGN WORLD — EE NETWORK
15
AUTONOMOUS & CONNECTED VEHICLES
These types of operations are complex but can easily be parallelized so the calculated sensor data can be input into the ECU in real time.
HIL TEST FOR SENSOR FUSION CONTROLLERS HIL test benches make it possible to test real ECUs in the lab by stimulating them with recorded or synthetic data. Consider an example setup for open- and closed-loop HIL simulation as well as raw data input for a front camera. Here, the camera image sensor, including the lens, is replaced and simulated by the HIL environment. The dSPACE traffic and vehicle dynamics simulation is executed on a real-time PC with an update interval of 1 msec. In addition, the real-time PC for the restbus simulation (Restbus simulation is a technique used to validate ECU functions by simulating parts of an in-vehicle bus such as the controller area network.) is connected to the vehicle network (CAN, Ethernet, FlexRay, etc.). The results of the vehicle simulation are transferred to a powerful computer. The computer then generates a three-dimensional representation of the environment. The relevant, parameterized sensor models are calculated on the basis of this representation. Simulation and testing providers, such as dSPACE, can furnish these sensor models. As an alternative, users can integrate sensor models from Tier 1 suppliers via the open simulation interface (OSI) which also protects supplier intellectual property. Furthermore, dSPACE supports standards such as OpenDrive for defining streets and OpenScenario as a format for defining scenarios. The raw sensor data is transferred to the dSPACE Environment Sensor Interface Unit (ESI Unit) via the DisplayPort interface of the GPU. This FPGA-based platform executes all remaining parts of the sensor models. For example, it executes light control or simulates the I2C interface of the image sensor. So far, no supplier-independent interface standard has been established for transferring raw sensor data. So a test system for raw sensor data injection must support a wide range of sensor interfaces. The ESI Unit is highly modular and supports all relevant automotive sensor interfaces. Automotive cameras typically use TI FPD-Link III and IV, Maxim GMSL1 and GMSL2, and MIPI CSI-2 with more than 8 Gbit/sec. Most radar and lidar sensors have an automotive Ethernet interface with up to 10 Gbit/ sec. However, the interfaces used for cameras are also increasingly used for radar and lidar. The HIL simulation of autonomous vehicles with dozens of sensors presents a particular challenge. It takes a great deal of processing power (CPU, GPU, FPGA) to realistically simulate all the sensors. In addition, the sensor
16
DESIGN WORLD — EE NETWORK
and bus data must be synchronized depending on the vehicle and sensor architecture. In the case of (rest)bus data, a real-time operating system, such as dSpace SCALEXIO, performs these tasks across multiple computation nodes. The sensor simulation at the raw data level requires both GPUs and FPGAs and thus calls for new synchronization concepts. Furthermore, all components of the simulator setup must be optimized for low end-to-end latencies so the control algorithms of the ECU can be tested. All in all, sensor simulation is a powerful, integrated, and uniform way of validating autonomous vehicles. The dSPACE solution described here ensures a high level of productivity in the validation of sensor-based ECUs at all stages of the development and test process.
REFERENCES DSPACE GMBH, W W W.DSPACE.COM G. SIEVERS ET. AL., DRIVING SIMUL ATION TECHNOLOGIES FOR SENSOR SIMUL ATION IN SIL AND HIL ENVIRONMENTS, DRIVING SIMUL ATION CONFERENCE EUROPE 2018 VR, HTTPS://W W W.RESEARCHGATE.NET/ PUBLICATION/336916095_DRIVING_ SIMUL ATION_TECHNOLOGIES_FOR_SENSOR_ SIMUL ATION_IN_SIL_AND_HIL_ENVIRONMENTS M. MÜLLER, PROTOT YPING AND DATA LOGGING FOR AUTONOMOUS DRIVING, HANSER AUTOMOTIVE 11-12/2019, HTTPS://W W W. HANSER-AUTOMOTIVE.DE/A/FACHARTIKEL/ PROTOT YPING -UND-DATA-LOGGING -FUER-DAS AU-144682 O. MASCHMANN, AI-IN-THE-LOOP, DSPACE MAGAZIN 2/2019, HTTPS://W W W.DSPACE. COM/EN/INC/HOME/APPLICATIONFIELDS/ STORIES/ZF-AI-IN-THE-LOOP.CFM
8 • 2021
eeworldonline.com
|
designworldonline.com
EV CIRCUIT PROTECTION
BATTERY PACK PROTECTION KEEPS EVs ON THE ROAD A FEW BEST PRACTICES FOR HANDLING TRANSIENTS AND OVER-CURRENTS HELP MAKE ELECTRONIC DRIVETRAINS MORE RELIABLE. JAMES COLBY • LITTELFUSE, INC.
AUTOMOTIVE MARKET analysts predict that by 2025, high-end vehicles will contain more than $6,000 in electronic components. Most of these advanced electronics will be in the growing number of electric vehicles (EVs). To ensure robust, reliable, and safe performance, the vehicle electronics must be protected from current overloads, electrostatic discharge (ESD), and transient overloads. The battery pack is the source of the electric vehicle power and a critical, high-cost component of the vehicle.
T YPICAL CIRCUIT BLOCKS FOR A GENERALIZED ENERGY STORAGE SYSTEM WITH RECOMMENDED PROTECTION AND CONTROL COMPONENTS.
EV batteries contain a lot of energy. These battery packs primarily contain large quantities of 4.2-V lithium-ion battery cells, generally operate in the 400 – 500-V range. A battery pack will include approximately 20 modules of lithium-ion cells in parallel-series combinations. Each manufacturer has its own proprietary module and battery pack design with capacities ranging from 35 to 100 kWHr. With 400 –500 V battery packs holding kilowatt-hours of energy, safety is a major concern. For example, a short circuit in one battery component can draw significant power and substantially raise the battery temperature. Here, properly sized current interruption devices and transient overload protection are essential for avoiding catastrophic destruction or damage to the vehicle electronics and potential harm to the vehicle occupants. eeworldonline.com | designworldonline.com
AN EX AMPLE OF A BI-DIRECTIONAL PROTECTIVE ESD DIODE CONSISTING OF T WO T VS DIODES CONNECTED ANODE-TO-ANODE. (REFERENCE: AQXXC -01FTG T VS DIODE ARRAY)
8 • 2021
DESIGN WORLD — EE NETWORK
17
AUTONOMOUS & CONNECTED VEHICLES
AN EX AMPLE T WO-CHANNEL ESD DIODE ARRAY THAT CAN ABSORB TRANSIENTS OF EITHER POL ARIT Y BEFORE THEY DAMAGE CAN LINES. (REFERENCE: AQ24CANA T VS DIODE ARRAY)
The typical EV energy storage system consists of the battery pack, the high-power current interrupt elements, the battery control circuitry, and the communication circuitry that transmits the status of the battery to the main vehicle processor. It’s considered best practice to fuse each sense line of the cells for over-current protection. We suggest a fast-acting fuse for quick response to an over-current. Look for surface-mount fuses to consume minimal space on the module PC board. Also, look for AEC-Q-qualified components that
meet automotive ruggedness standards and operate over a temperature range of -55 to 125° C. To protect the cell pack from system-induced transients, ESD, and other types of transients, we recommend a transient voltage suppressor (TVS) diode. Surface-mount models can absorb up to 1,500 W of transient peak pulse power or up to 200 A of surge current. They also safely withstand an ESD strike of up to 30 kV. Look for versions that have AEC-Q101 automotive-grade qualifications. We also recommend the design include over-current and transient voltage protection for the cell balancing and control circuit. This practice ensures all lithium-ion cells contribute approximately equally to powering the load. A fuse and a TVS diode are warranted. In addition, the communication bus that links modules together should have ESD protection. ESD can be introduced during the assembly process and could create “walking wounded” components or outright catastrophic failures. We recommend a bi-directional ESD diode with ultra-fast response to clamp transients. The whole battery pack assembly should have a fuse to protect against current overloads. Because the battery operates above 400 V, we recommend a time-delay fuse with a voltage rating exceeding the battery output voltage and able to carry the appropriate current capacity. In addition, protection components should be qualified to automotive reliability standards (ISO8820, AEC-Q, etc.).
A control and protect circuit (C&PC) operates the contactor main switch and feeds its status to the battery system controller. The C&PC must operate fast. The circuit typically contains power MOSFETs to open the contactor; and, the MOSFET must switch quickly. We recommend a gate driver chip specifically designed to control MOSFETs. Gate drivers can exhibit rise times under 10 nsec and have high immunity to latch-up conditions. They ensure the MOSFETs operate efficiently. The battery system controller feeds data on the battery packs to the main vehicle microprocessors. It requires current overload and transient voltage protection similar to that for the other circuit blocks. This circuit contains the CAN interface. Data line integrity is critical for uncorrupted data transmission. We suggest these lines be protected with ESD diodes. Fortunately, one component can protect the high and low lines.
PROTECTING BATTERY MODULES We have discussed a master fuse with a high voltage rating on the output of the module. Each individual cell should be fused as well. Low-voltage fuses can serve this purpose. Each module has its own microprocessor to monitor cell status and report it to master controllers. Thus, the wired Interface should use TVS diode arrays to protect the CAN data lines. The battery distribution unit supplies the battery voltage to the various vehicle loads. We suggest a topology of highvoltage fuses and high-voltage/high-current contactors to protect individual loads from current overloads and to isolate each load from all others. This practice protects each load from a failure in any other load. In addition, consider adding contactors to provide a primary level of protection from the battery pack. The main contactors disconnect the battery from the various loads and the electric drivetrain. The precharge contactor (paired with a resistor)
BAT TERY MODULE BLOCK DIAGRAM WITH RECOMMENDED PROTECTION COMPONENTS FOR A SIMPLE SERIES CONNECTION OF THE BAT TERY CELLS.
18
DESIGN WORLD — EE NETWORK
8 • 2021
eeworldonline.com
|
designworldonline.com
EV CIRCUIT PROTECTION
BAT TERY DISTRIBUTION UNIT WITH RECOMMENDED PROTECTION COMPONENTS.
provides a path to initially charge the dc link capacitors to 90% of the battery voltage. This contactor-resistor combination protects the capacitors from the high inrush current that arises when the power to the pack is initially applied. Despite judicious placement of protection components, the battery pack may develop an internal short or be subjected to an external one. How can the damage be contained? Consider including one last line of defense: a hybrid protection and disconnect module. The solution combines current sensing, a fuse, and an ignition system designed to ensure the battery disconnects from the load. The ignition system ensures a fast response of as little as 1 msec, and it punches a section out of the main battery busbar to guarantee the circuit opens and any arcing is extinguished. One self-contained module provides high interrupting-current capability with fast detection and response. The loads are protected from the short circuit current overload. This new technology minimizes damage to the battery. In a nutshell, the complexity of the electric vehicle battery pack architecture points to the necessity for multiple levels of circuit protection. At the module level, the module as a whole and the individual cells require protection from over-current and overloads. The monitoring and control electronics should be fortified with transient voltage protection. The CAN data lines should have ESD and voltage transient protection to ensure undisrupted communication between the battery pack and the main vehicle microprocessors. Incorporating these protection topologies can help to eliminate the occurrence of a battery pack failure.
INNOVATIVE HIGH VIBE / SHOCK CONNECTORS •T&M • INDUSTRIAL • MEDICAL • ROBOTICS • OIL & GAS • AUTONOMOUS VEHICLES
REFERENCES LITTELFUSE AUTOMOTIVE ELECTRONICS APPLICATIONS GUIDE, HTTPS://M.LIT TELFUSE.COM/~/MEDIA/ELECTRONICS/ APPLICATION_GUIDES/LIT TELFUSE_AUTOMOTIVE_ELECTRONICS_ APPLICATIONS_GUIDE.PDF.PDF
®
AUTOMOTIVE ELECTRONICS COUNCIL (AEC) STANDARDS, HTTP://AECOUNCIL.COM/AECDOCUMENTS.HTML
www.LEMO.com 8 • 2021
DESIGN WORLD — EE NETWORK
19
®
AUTONOMOUS & CONNECTED VEHICLES
BASICS OF TIME-SYNCHRONIZED HARDWARE-IN-THE LOOP TESTING A SPECIAL KIND OF HIL TESTING ACCELERATES THE DEVELOPMENT OF ADVANCED DRIVER-ASSISTANCE SYSTEMS. BERNHARD HOLZINGER, AUTOMOTIVE AND ENERGY SOLUTIONS • KEYSIGHT TECHNOLOGIES
INDUSTRY WATCHERS
CHALLENGES IN ADAS VALIDATION
are still
optimistic about the adoption of connected autonomous vehicles (CAVs). But CAVs will only become reality if consumers, regulators and the insurance industry all have an unshakable confidence in the technology. The process of building confidence in advanced driver-assistance systems (ADAS) will entail hundreds of millions of miles of road testing—actual or simulated—to fully explore corner cases and thoroughly validate new designs. ADAS make decisions through use of sensors that perceive the environment of a car and the current driving situation. Today, software-based simulation systems are used to develop and test ADAS functions. However, traditional integration and systemlevel tests cannot ensure ADAS will operate properly in the real world. Further, these tests take place late in the development process. So design changes necessitated by ADAS tests become costly, time-consuming, and delay the start of production (SOP). The strategy to avoid SOP delays starts with higher-level scenario testing performed earlier in the development process. Detailed emulation of real-world conditions enables thorough debugging and troubleshooting of complete subsystems long before vehicles take to the road. The goal of ADAS is to not only assist the driver, but eventually enable fully automated or autonomous driving. The American Automobile Association (AAA) tested the performance of available ADAS for five different brands of cars. The test results were rather disillusioning if one considers the main takeaways: For controlled closed-course evaluations, each test vehicle’s ADAS generally performed to the owner’s manual specifications. But during a roughly 4,000-mile test drive on public roads consisting mainly of freeways, 521 events were noted, translating to approximately one event every eight miles. Most notably, 73% of the events related to lane-keeping functions.
20
DESIGN WORLD — EE NETWORK
8 • 2021
In summary, AAA concluded ADAS interfered more than it assisted. This rather harsh verdict glosses over test results that show ADAS worked as expected in the controlled environment. However, the AAA test drive also illuminates the difficulty in testing ADAS for all the driving scenarios one might encounter on public roads. The results point to a couple of key challenges for ADAS developers: First, it is difficult to create sufficiently high test-coverage that fully addresses the seemingly uncountable number of potential real-world scenarios. Second, the deployment of fully autonomous operation in the future will require significantly more on-board sensors. Consequently, the verification of fully autonomous systems will require increasingly complicated test setups. To address these challenges, it’s worth taking a closer look at the automotive development cycle with an emphasis on verification. Automotive development is often conducted according to a scheme specified in the ISO 26262 framework. Called the V-model, it depicts a development cycle focused on ensuring functional safety. The V model starts with the overall system definition and then moves down through system and component-level design of both hardware and software. The bottom of the V is characterized by the construction of prototypes and the final
SENSORS IN SAE AUTOMATION LEVELS Sensor
L0
L1
L2
L3
L4/L5
RADAR
N/A
0-3
0-5
3-6
6-20
Cameras
N/A
0.1
3-5
3-6
3-6
Ultrasonic
N/A
4-8
8-12
RADAR
RADAR
LIDAR
N/A
0
1
2-3
3+
Secure V2X
No
No
Some
Yes
Yes
eeworldonline.com
|
designworldonline.com
HARDWARE-IN-THE-LOOP TESTING
implementation. The right-hand leg of the V covers verification, moving upward through the testing of individual components, the resulting subsystems, and then the complete system. As engineers progress from module tests towards system validation, they may start with pure simulations, especially when the testing of software is involved. However, the software must interact with the real hardware when progressing up the V-model to submodules and eventually to the complete system, thus increasing the complexity and costs. One way to counteract these potential costs is to find design flaws earlier in the verification cycle, as exemplified by the V-model. This practice helps simplify verification tests, and it also helps prevent failures that can be costly to remedy if found later on. Even so, validation of the complete system requires road testing of a fully integrated vehicle. This approach has two noteworthy shortcomings: First it is
expensive and, second, the results obtained from random, real-world environmental conditions are not easily reproducible. Reproducibility becomes important if the system-under-test is producing intermittently erroneous behavior. Consider an adaptive cruise control system as an example. Based on inputs from a radar sensor, the system should control braking and acceleration to produce the desired cruising speed or maintain a safe distance from a vehicle directly ahead. Verification of the control algorithm starts with a simulation system that replicates the road environment, the radar sensor, and the physical behavior of the car. The simulation can verify the behavior of the algorithm in different scenarios. This type of test setup is referred to as software in the loop (SiL). Over time, hardware elements can be added to the system. For instance, a test setup could include an electronic control unit (ECU) that will later be integrated with the vehicle and, for example, a radar sensor.
This type of test setup is referred to as hardware in the loop (HiL). Specialized test equipment can now address such scenarios. One example is the Keysight HiL-based system called the autonomous drive emulation (ADE) platform. It supports the testing of ADAS at the component and system levels. The test scenario is set up using a simulated environment, which implements a real-world situation all around the vehicle. This simulation is used to extract the required information to stimulate sensors such as cameras or radar units, and link to available communication channels, such as vehicle-to-everything (V2X). To extract the required information for sensors, such as radar or cameras during the test, ray-tracing technology can be used. We all have seen this in modern computer games. The goal is to determine how an object must be displayed on a viewing plane (i.e. the monitor in case of computer games) to recreate its appearance from a certain view point as it would be observed in the
THE WELL-KNOWN SAE LEVELS OF AUTOMATION FOR VEHICLES. LESS NEED FOR HUMAN INTERACTION AND AT TENTION AT HIGHER LEVELS OF DRIVING AUTOMATION BUT AN INCREASING DEPENDENCE ON SOPHISTICATED SENSORS.
eeworldonline.com | designworldonline.com
8 • 2021
DESIGN WORLD — EE NETWORK
21
AUTONOMOUS & CONNECTED VEHICLES
THE V DEVELOPMENT MODEL SPELLED OUT IN ISO 26262 CALLS FOR DRILLING DOWN FROM SYSTEMS TO SUBSYSTEMS TO MODULES DURING THE DESIGN PHASE, THEN PROGRESSING TO EVER MORE COMPREHENSIVE TESTING DURING DEVELOPMENT.
Consequently, another ray is traced from this tile to the light source. From the angles at which these rays hit the tile and from its material properties (e.g. its color), analysis can determine how this pixel must be displayed (e.g. color and brightness). This same algorithm can also be used for radar. The light source is the radar transmitter. The relevant material properties would be included, and spatial velocity would be factored in to calculate Doppler effects. Even so, the same principles apply.
HANDLING INHERENT PROCESSING DEL AYS real world. For a computer game, the relevant view point is the player in front of the monitor. When testing an ADAS system, it’s the location of the camera, radar, or any other kind of sensor. In a ray tracing simulation, the object is represented by a wireframe model in which the object surface is split into small triangular tiles, each having a flat surface. Sticking to the example of a computer game: For every pixel in the viewing plane (i.e. the monitor), the algorithm can draw a straight line (i.e. trace a ray) from a specified viewpoint (i.e. the anticipated position of the player in front of the monitor through the pixel to the object. This ray will strike one tile of the wireframe of the object. Additionally, for an object to be seen, it must be illuminated.
Modern graphics processing units (GPUs) provide hardware acceleration for ray tracing algorithms. Thus, they are great tools for providing the computing power this approach requires. However, there will always be a processing delay even for the fastest GPUs, which can become an issue. For example, assume it takes the ray-tracing algorithm 100 msec to deliver its data to a radar target simulator. This is the time needed for the algorithm to take a snapshot of the scene, perform its calculation, and present data to the radar. Now consider a typical urban traffic situation: Two cars approach each other and both are traveling at 50 km/h. That’s a relative velocity of about 28 m/sec, and within the 100-msec interval they have reduced the distance by 2.8 m. This is an easy scenario for an openAUTONOMOUS DRIVING EMUL ATION PL ATFORM (ADE) loop system to handle. It can be compared to HIGH-LEVEL ACHITECTURE — OVERVIEW watching a movie--it doesn’t matter if viewers perceive the data only after its recording. If other sensors are involved, then all are stimulated consistently. In other words, the processing delay must be the same for all the sensors to realize overall measurement synchronism. When the ADAS reaction is incorporated in the test, the closed-loop approach is necessary. Here, the simulation includes the vehicle reaction. For instance, if the ADAS decides to
A HIGH-LEVEL VIEW OF AN AUTONOMOUS DRIVING EMULATION PLATFORM. THROUGH INTEGRATION OF TIME-SYNCHRONIZED TESTING OF KEY SUBSYSTEMS, ADE SAVES TIME, MONEY, AND IMPROVES TEST COVERAGE COMPARED TO SINGLE-UNIT TESTING.
22
DESIGN WORLD — EE NETWORK
8 • 2021
eeworldonline.com
|
designworldonline.com
HARDWARE-IN-THE-LOOP TESTING
RAY TRACING
hit the brakes in an emergency, the vehicle slows. There is then an impact on the data sent to the radar. The loop is closed using an HiL system that also emulates other components within the car that do not relate directly to the ADAS. The latency issue is overcome via what’s called a nowcasting algorithm. For context, consider that weather forecasts use current data to predict what will happen in the future. In contrast, nowcasting employs outdated information – in this case data that is 100 msec old – to predict the current situation. This approach enables the simultaneous testing of an ECU, its software, and the real sensors. As
THE FUNDAMENTAL PRINCIPLE OF RAY TRACING. THE POINT OF RAY TRACING IS TO CREATE THE PATH THAT LIGHT WOULD TAKE IF IT WERE TO TRAVEL FROM THE EYE OF THE VIEWER THROUGH THE VIRTUAL 3D SCENE, INCLUDING LIGHT RAYS THAT BOUNCE FROM OBJECT TO OBJECT, WHICH IS WHAT THEY DO IN REAL LIFE. WITHIN A COMPUTER-BASED SIMUL ATION, RAY TRACING PRODUCES HIGHLY REALISTIC VIEWS OF MODELED OBJECTS.
explained above, the technique requires the simulation of several sensors and communication channels, not only in a synchronized way, but also with an algorithm (nowcasting) that compensates for the processing delay . With these requirements met, the ADE platform allows the testing of an ADAS from the component level on up to the sub-system level, long before a vehicle is tested on the road. The goal is to reduce the overall cost of testing while improving test coverage during early stage verification. Ultimately, this approach helps improve the performance of ADAS when deployed on public roadways.
REFERENCES KEYSIGHT TECHNOLOGIES, W W W.KEYSIGHT.COM
A T YPICAL URBAN DRIVING SCENARIO THAT CAN BE SIMUL ATED IS THAT OF T WO VEHICLES APPROACHING FROM OPPOSITE DIRECTIONS.
eeworldonline.com
|
designworldonline.com
8 • 2021
DESIGN WORLD — EE NETWORK
23
AUTONOMOUS & CONNECTED VEHICLES
NAVIGATING IN-VEHICLE NETWORK COMMUNICATIONS SECURELY HARDWARE SECURITY MODULES HELP THWART HACKERS BENT ON GETTING CONTROL OF EVs. TODD SLACK • MICROCHIP TECHNOLOGY
ROUGHLY HALF OF ALL new vehicles sold this year will be connected vehicles, and estimates are that figure will rise to around 95% by 2030. Those connections via Bluetooth, USB, LTE, 5G, Wi-Fi, and so forth have dramatically increased the attack surface that must be secured against hackers. The vehicle Controller Area Network (CAN bus) is a common target for hackers. Demonstrations have shown that hackers can exploit a bug in the Bluetooth protocol to gain access to the vehicle operating system. This attack vector, in turn, provided remote access to manipulate messages on the CAN bus. Modern vehicles can have up to 100 ECUs with many safety critical ECUs communicating on the CAN bus. The CAN bus uses a simple protocol that is inexpensive, extremely robust, and relatively immune to electric disturbance which makes for reliable communication among safety critical nodes. The downside is that for decades, there has been zero security in the protocol. Hackers who gain access can send spoofed messages and wreak havoc on in-vehicle communications. Some
examples include engaging or disengaging windshield wipers, turning off headlights, distracting the driver by manipulating audio, creating false instrument cluster alarms, incorrectly displaying speed, moving seats, or even driving the car off the road. The good news is that with the advent of CAN FD (FD stands for flexible data rate, specified in ISO 11898-1) there are additional bytes available in the message payload to add security. CAN FD includes a Message Authentication Code (MAC) to cryptographically verify the authenticity of the message, thereby filtering out any spoofed messages. There are two types of MACs to choose from: A hash-based HMAC or an AES symmetric key block cypher based CMAC. CMAC is implemented the overwhelming majority of the time. OEMs have been busy updating their cybersecurity specifications in response to the numerous hacks. Almost all OEMs now require safety critical ECUs to implement new cybersecurity requirements, and some
WELL-PUBLICIZED HACKS MAKE THE NEED FOR DEVICE SECURIT Y OBVIOUS.
THE INCREASE IN CONNECTED DEVICES BRINGS MORE INTEREST TO HACKERS
24
DESIGN WORLD — EE NETWORK
8 • 2021
eeworldonline.com
|
designworldonline.com
SECURE COMMUNICATIONS
TA100 PIN ASSIGNMENTS OEMs require that 100% of connected ECUs be upgraded. The foundational security block is to implement secure boot. Secure boot involves cryptographic verification that the boot and application code is unchanged and is in a trusted state at power-on. And verification is often repeated at a prescribed cadence once booted. A close second in security procedures is the requirement to support secure firmware updates. Of course, all software can be subject to bugs; so firmware bug patches that can be applied in the field are often a necessity. These firmware updates also require cryptographic security. Typically incoming firmware payloads encrypted with a symmetric (AES) key and signed with an asymmetric private key, most often Elliptic Curve Cryptography (ECC). (As a brief review, with a symmetric key, the same key is used to encrypt and decrypt the message. With asymmetric keys, two different keys, called the public and private keys, are used. ECC is based on the algebraic structure of elliptic curves over finite fields and allows use of smaller keys compared to non-EC cryptography.) The third addition in security evolution is message authentication. When an encrypted image is presented to the host controller, no action is taken until the signature of the payload is verified by the public ECC key embedded in the controller. Once the signature is verified, the image can be decrypted and the controller firmware upgraded with the bug patch or feature enhancement.
The first step of AES encryption is to put the data into an array. Then the cipher transformations are repeated over multiple encryption rounds. A round consists of several processing steps that include substitution, transposition and mixing of the input plaintext to transform it into the final output of ciphertext. There are 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14 rounds for 256-bit keys. The first transformation in the AES encryption cipher is substitution of data using a substitution table; the second transformation shifts data rows, and the third mixes columns. The last transformation takes place on each column using a different part of the encryption key. Longer keys need more rounds to complete.
EV SECURITY Unique to the electric vehicle space is the growing need for battery authentication. Most battery packs are comprised of replaceable battery modules so a module that fails can be replaced without replacing the entire pack. Poorly designed modules can be safety hazards that cause vehicle fires. Thus ecosystem management is important; each module must be cryptographically
Pin name
Pin number
Function
CS
1
Chip select for SPI
RESET
2
Reset input, active low
GPIO_3
3
GPIO_3
VSS
4
Ground
SI
5
SPI Serial Data Input
SCK
6
SPI Clock
SO
7
SPI Serial Data Output
VCC
8
2.7V-5.5V Power Supply
THE TA100 CRYPTOAUTOMOTIVE SECURITY IC CAN BE FOUND IN SOIC-8, SOIC-14, AND VQFN-24 PACKAGES AND IS POWERED BY AN INTERNAL MCU RUNNING DEDICATED SOFTWARE LOADED INTO THE ROM AND NONVOLATILE MEMORY DURING CHIP MANUFACTURE. NONVOLATILE MEMORY IS USED FOR CERTIFICATE STORAGE AND SECRET/PRIVATE KEY STORAGE. THERE IS NO DIRECT ACCESS TO THE MEMORIES FROM THE EXTERNAL PINS OF THE DEVICE AND THERE IS NO AVAILABLE PROGRAMMING OR DEBUG INTERFACE.
TA100 BLOCK DIAGRAM
AES BASICS The Advanced Encryption Standard is a symmetric block cipher. A block cipher is a deterministic algorithm operating on fixedlength groups of bits called blocks. AES actually includes three block ciphers: AES128, AES-192 and AES-256. The numbers denote the number of bits in the key used to encrypt and decrypt a block of messages. Thus each cipher encrypts and decrypts data in blocks of 128 bits using cryptographic keys of 128, 192 and 256 bits, respectively.
eeworldonline.com
|
designworldonline.com
8 • 2021
DESIGN WORLD — EE NETWORK
25
AUTONOMOUS & CONNECTED VEHICLES
authenticated. Authentication verifies each module manufacturer has been vetted and approved by the OEM. Similarly, a module that does not cause fires but instead underperforms is equally bad. Poor performance can damage brand reputations, yet another reason to cryptographically verify who manufactured the module. You might wonder what it means to cryptographically verify a battery module. The process is accomplished by setting up customer-specific signing keys. The keys are used to provision devices with customer-specific x.509 certificate chains and a unique device-level certificate based upon a unique ECC key pair. (An X. 509 certificate is a digital certificate employing the international X. 509 public key infrastructure (PKI) standard to verify that a public key belongs to the entity contained within the certificate.) The provisioned device is mounted on each battery module. When a battery module is replaced within the pack the battery management system (BMS), also known as the battery gateway, will query the module for its unique X.509 certificate and verify the signature chains up to a trusted root. After signature verification, the module is challenged with the task of signing the associated private key. Successful completion proves knowledge of a secret without transmitting it on the bus or via RF. The use case at the module level stops there. Within the BMS, OEMs often require a more complex use case. The BMS/gateway is the communication point to the outside world providing routine battery health status reports to the cloud. So security for communication channel with the cloud may be expanded to include secure boot, secure firmware update, and Transport Layer Security (TLS, a standard protocol providing authentication, privacy and data integrity between two communicating computer applications ). The security implementations discussed here require secure key storage which can only happen via true hardware-based security. It can be easy to extract keys from standard microcontrollers, and even from many claiming to be “secure microcontrollers,” via standard attacks through micro-probing (attaching microscopic needles on the internal wiring of a chip), fault injection (by creating voltage glitches, clock glitches, injecting a temporal fault during a cryptographic operation with a laser module, etc.), electromagnetic side channel attacks (performing signal analysis on the electromagnetic radiation the device emits) , temperature/power cycling/supply glitching, and timing attacks, to name a few. It is important to select the right device for cryptographic heavy lifting and to protect the keys against these sorts of attacks. Specialized security devices come in a variety of architectures. They have varying terminology like Hardware Security Modules (HSM) both on-die and external, secure elements, secure storage subsystems, key vault, smartcards, etc. All these devices must include tamper protection against the aforementioned attacks to prevent access to the keys in their secure memory.
26
DESIGN WORLD — EE NETWORK
8 • 2021
THE TA100 8-PIN SOIC MIKROBUS -COMPATIBLE SOCKET BOARD HELPS DEVELOP SYSTEMS EMPLOYING TA100 HSMS. THE TA100 SECURE ELEMENTS ARE ONE-TIMEPROGRAMMABLE DEVICES. HAVING A SOCKET BOARD ALLOWS DEVELOPERS TO REUSE THE BOARD WITH MULTIPLE TA100 SAMPLE DEVICES FOR A GIVEN APPLICATION OR FOR MULTIPLE DIFFERENT APPLICATIONS. THE 8-PIN SOIC SOCKET BOARD IS CAPABLE OF BEING USED WITH VERSIONS OF THE TA100 DEVICE HAVING I2C AND SPI INTERFACES.
WHEN IS SECURITY GOOD ENOUGH? The best way to prove security worthiness is to submit the secure device to a third-party for a vulnerability assessment. The third-party should be accredited by a trustworthy source like the National Institute of Standards of Technology (NIST) recognized in North America, the Federal Office for Information Security (BSI) in Germany, or the globally recognized Senior Officials Group Information Systems Security (SOGIS). SOGIS-accredited labs use a globally recognized Joint Interpretation Library (JIL) vulnerability assessment scoring system which requires a “white box” assessment. The submitting IC vendor must provide the lab documentation on the device design. The documentation includes data-flow, sub-system, memory map definition, hardware and firmware start-up sequence, description of security protection mechanisms, full datasheet, security and bootloader guidance documentation, all code available (RTL and C level, crypto library, FW), algorithm implementations, programming scripts, communication protocol, die layout, and source code. The lab reviews all documentation and maps out a plan of attack against the submitted sample devices. The scoring system allots points based on how long it takes to extract a secret key, the level of expertise required (recent college grad
eeworldonline.com
|
designworldonline.com
SECURE COMMUNICATIONS
up to multiple experts), knowledge of the target of evaluation (TOE), access to the TOE (how many sample devices to perform a successful attack), hacking equipment complexity and cost, and ease of access to samples. JIL scores begin with no rating and progress to Basic, Enhanced Basic, Moderate, and High being the best achievable score. Anything below JIL High means the lab was able to extract private key(s) from the device. Devices like Microchip’s CryptoAutomotive TrustAnchor100 (TA100) external HSM which have received a score of JIL High, are able to withstand attacks for more than three months of attack, at which point the lab declares the device “not practical” to attack. On die or off die, that is the question. On-die solutions like 32-bit dual-core MCUs can represent an expensive upgrade to previousgeneration ECU tasks perfectly well served by a standard MCU before true security became mandatory. Dual-core MCUs can also introduce significant development delays given the requirement to completely rearchitect the application code. It can be extremely risky to take on the security code development in-house and cost prohibitive to pay a thirdparty. It can also be difficult for Tier 1 suppliers to deploy the solution across multiple types of ECUs given that each type can have varying performance and peripheral requirements.
This is where external HSMs or companion secure elements can significantly reduce the security upgrade burden. They can be added to a standard MCU in an existing design or be bolted onto all new designs with different host MCU requirements. External HSMs like the TA100 come pre-provisioned with all security code, keys and certificates. External HSMs are easily portable to any MCU given the associated crypto-library that is MCU agnostic. With today’s connected cars and heavy in-vehicle network communications traffic, the need for automotive security clearly stretches far beyond car alarms. With safety and brand reputation at stake, it is as important as ever to select truly secure devices vetted by third parties when upgrading ECUs to satisfy the plethora of new OEM cybersecurity specifications.
REFERENCES MICROCHIP TECHNOLOGIES TA100, HTTPS://WWW.MICROCHIP.COM/WWWPRODUCTS/EN/TA100
AUGUST. 10. 2021 3D PRINTING ACTIVE ELECTRONIC MEDICAL DEVICES
MICHAEL C. MCALPINE
featuring
Kuhrmeyer Family Chair Professor UNIVERSITY OF MINNESOTA, DEPARTMENT OF MECHANICAL ENGINEERING
AUTONOMOUS & CONNECTED VEHICLES
AUTOMOTIVE LIDAR SLIDES DOWN THE COST CURVE LELAND TESCHLER, EXECUTIVE EDITOR
IT LOOKS AS THOUGH TECHNIQUES NOW EMERGING FROM RESEARCH LABS WILL HELP MAKE IT AFFORDABLE FOR NEXT-GENERATION AUTONOMOUS VEHICLES TO KEEP OUT OF HARM’S WAY.
THERE’S A DIRTY LITTLE SECRET associated with the autonomous vehicle (AV) prototypes now feeling their way along roads and byways: Many of them depend on expensive lidar (light detection and ranging) sensors to detect and avoid objects in their path. One reason lidar units are expensive is that most commercial units scan the scene with lasers by means of rotating mirrors. The rotation mechanisms can be intricate and tough to mass produce economically. This is why early AV demonstrations used lidar units costing several times more than the cars on which they were installed. Prices have come down from the early days, but lidar having the range and resolution needed for vehicular use remains pricey. Consequently, there is a quest to come up with ways of deploying vehicular lidar that eliminate the costly rotating mechanics. In this regard, several start-up firms have devised methods of scanning lasers across a field of view that are completely solid state. Their first target is to field a solid-state lidar going for below $500. Eventually they see lidar units costing half that figure. Two techniques in particular are under intense development: OPA (Optical Phase Array) technology is borrowed from phased-array radar where different phase-shifted versions of a single radiator get fed to an antenna array. Superposition arises when the signals are in-phase; cancellation takes place for out-of-phase signals. The second technique, FMCW (Frequency Modulated Continuous Wave) technology, differs from ordinary pulsed radar in that it continuously transmits a signal whose frequency changes linearly over time. The returning echos can be readily processed to not only provide the distance of the object creating the echo but also its relative velocity. Both methods have their strengths. To understand the differences, it is useful to examine specific implementations now under development in research labs.
28
DESIGN WORLD — EE NETWORK
8 • 2021
IN PHASED ARRAY RADAR, A SIGNAL FROM A SINGLE SOURCE FEEDS TO AN ARRAY OF ANTENNAS EACH FED BY A DEL AY LINE. THE SYSTEM L AUNCHES A WAVEFRONT AT SOME ANGLE TO THE ARRAY BY VARYING THE DEL AYS IN THE DEL AY LINES TO CAUSE CONSTRUCTIVE INTERFERENCE AND PRODUCE A WAVEFRONT AT A DESIRED ANGLE. IN LIDAR, THE SIGNAL SOURCE IS A L ASER. THE DEL AY LINES TAKE THE FORM OF MATERIALS WHOSE INDEX OF REFRACTION CAN BE DYNAMICALLY CHANGED. THE ANTENNAS ARE NANOPHOTONIC EMITTERS.
eeworldonline.com
|
designworldonline.com
ECONOMICAL LIDAR
TOP LEFT, A PHOTONIC EMIT TER AND THERMALLY CONTROLLED DEL AY LINE L AYOUT UNDER DEVELOPMENT BY ANALOG PHOTONICS, BOSTON. RIGHT A SEM IMAGE OF A PORTION OF THE OPA CHIP.
WHY LIDAR AND NOT RADAR? A typical requirement for AV systems is that they discern two separate objects in close proximity, such as a construction worker and a bridge column, that are 200 m away. That kind of performance demands an AV system able to resolve features with 20-cm dimensions at that distance. In radar or lidar, the factor that limits resolution is the degree to which waves spread as they travel from the source to the target and back. It turns out that 60-GHz automotive radar can at best resolve objects having dimensions exceeding 5 m sitting 100 m from the car. Even at that resolution, the size of the radar source becomes impractically large. In contrast, lidar, operating at around 200 THz, (about 1,500 nm wavelength) can employ a source having dimensions on the order of 1.5 mm. Thus resolution considerations favor the lidar approach. Additionally, the need to dissipate heat generated by the imaging system also favors the use of laser light rather than radar signals. Lidar systems generally scan a laser around the scene they digitize. The scanning mechanism is where much of the cost of existing systems arise. Solid-state lidar eliminates the mechanical scanning through three general approaches: flash lidar, MEMSbased mirrors, and optical phased arrays. Flash lidar illuminates the entire field of view with a wide diverging laser beam in a single pulse—thus there is no need to scan the laser across the scene. Each pixel in a sensor array collects 3D location and intensity information from the returning reflections. Flash lidar is advantageous when when the camera, scene, or both are moving because it eeworldonline.com | designworldonline.com
illuminates the entire scene instantaneously. A difficulty with the scheme is that it requires a powerful burst of laser light to reach the range necessary for automotive use. The wavelength used must be such that high levels do not damage human retinas. But inexpensive silicon imagers don’t work well in the eye-safe spectrum. So rather pricey gallium-arsenide imagers must be used instead. MEMS systems use mirrored surfaces of silicon crystals to scan lidar lasers around a scene. Piezoelectric materials or electromagnetic fields are used to move the MEMS mirrors, eliminating the need for discrete mechanical parts. One difficulty with MEMS-based approaches is that the mirrors may need relatively large dimensions to illuminate scenes with enough laser light for the range automotive systems require. The resulting resonances can make MEMS mirrors susceptible to the shock and vibration frequencies that characterize vehicles. It may also be tough to keep the MEMS-reflected laser beam sufficiently focused to handle the ranges required for automotive needs. So aspheric lenses may be needed that add to costs. OPA lidar uses a series of nanophotonic antennas each fed from a phase shifter creating a delayed version of a signal from a single laser. The point of the phase delays is to create an interference pattern that effectively scans the laser across the field of view. Specifically, a typical OPA scheme would launch one undelayed laser beam, a second that is slightly delayed, a third that is delayed a bit more, and so on. The result is a wavefront that is launched at some angle to the array. The launch angle is varied by changing the 8 • 2021
IN DIRECT TIME-OF-FLIGHT LIDAR, THE SYSTEM EMITS SHARP LIGHT PULSES AND GAUGES DISTANCES BASED ON THE TIME OF REFLECTIONS. THE VELOCIT Y OF OBJECTS IN THE FIELD OF VIEW CAN BE GAUGED BY MAKING FRAME-TO-FRAME COMPARISONS. IN FREQUENCY MODUL ATED CONTINUOUS WAVE LIDAR, THE SYSTEM EMITS A CONTINUOUS WAVE WHOSE FREQUENCY IS MODUL ATED IN ONE OF SEVERAL WAYS. THE SYSTEM ANALYZES ECHOS FOR A PHASE SHIFT DETERMINED BY THE DISTANCE FROM THE DISTANCE FROM THE OBJECT AND FOR A DOPPLER SHIFT CAUSED BY AN OBJECT’S RADIAL VELOCIT Y.
DESIGN WORLD — EE NETWORK
29
AUTONOMOUS & CONNECTED VEHICLES
amount of delay in the optical delay lines. OPA uses principles first devised for phased-array radar. In phased-array radar, radar beams are steered by use of electronically controlled signal delay lines. The delay lines can be realized via varactor diodes that change capacitance with voltage, nonlinear dielectrics such as barium strontium titanate, or ferroelectric materials such as yttrium iron garnet. In OPA lidar, the delay lines take the form of tunable phase shifters. The phase shifters are built from material whose index of refraction can be changed dynamically. (Changing the index of refraction changes the velocity of light through the material, thus implementing a delay line.) There are several ways of changing the index of refraction in the phase shifters. One widely used technique employs waveguide material whose index of refraction is sensitive to heat. OPAs may also use more exotic approaches to implement a delay such as cycling light waves through the waveguide multiple times. Optical delay lines allow OPAs to scan a laser across a field of view in one plane. But OPAs can also implement scanning on multiple planes in the manner analogous to a raster pattern. There are various means of accomplishing this 2D scanning, but one straightforward approach is to change the frequency of the laser light for each swept plane. Another strategy is to simply stack multiple OPAs and use multiple laser beams. One difficulty with OPA is that the approach typically entails significant computational complexity. OPAs with enough horsepower to handle automotive uses could include on the order of 10,000 phase shifters, each with its own control circuits. Power consumption can also be an issue if phase shifting employs thermal methods. However, firms working on OPA designs say neither of these issues are show stoppers. One in this camp is Quanergy Systems, Inc. in Sunnyvale, Calif. Quanergy makes both mechanical lidar for mapping, security, and smart city and smart space applications, and OPA lidar for industrial uses and people-flow management. It also is developing OPA lidar for vehicular use. Quanergy CTO Tianyue Yu says the firm’s OPA design uses thermo and electro-optical phase shifting. In its current commercial products, Quanergy’s OPA emitters scan left-to-right to form a 2D pattern in horizontal axis. Multiple
30
DESIGN WORLD — EE NETWORK
OPA emitters stack together to comprise the 3D scan. Yu says Quanergy also has an OPA design in development where the beam can scan both left-to-right and top-to-bottom. She further points out that the beam can be pointed at any angle within the field of view so the pattern traced out isn’t limited to a leftto-right sequential scan. This behavior makes possible a “dynamic zoom” feature unique to OPA lidar wherein the system can respond intelligently to focus in on areas within the field of view that merit a closer look. The “dynamic zoom” function allows higher resolution or a high frame rate in regions of interest based on situational awareness without ignoring other regions of the field of view. Also, there could be multiple regions of interest depending on the environment. Moreover, it doesn’t take cutting-edge chip fab technology to realize such features. Yu says the OPA detector is fabbed in Singapore while TSMC in Taiwan handles the emitter. The detector IC occupies 1.5 cm2. It is characterized by feature dimensions in the tens-of-microns range. Yu also says the detector asic is not “super fast,” and all chip fabrication processes that go into the OPA are very mature. Quanergy uses a laser operating at 905 nm (dubbed the near-infrared range) so the OPA can employ silicon-based light detectors and for compatibility with CMOS circuitry. Economics dictate operation at this wavelength: Some OPAs use 1,550-nm (shortwave infrared) wavelengths which require use of more expensive indium-gallium-arsenide (InGaAs) detectors. The advantage of the longer wavelength is a higher maximum permissible energy level while remaining eye safe.
DOPPLER LIDAR? Most lidar, including Quanergy’s OPA units, use time-of-flight (ToF) to detect objects. All ToF sensors measure distances using the time elapsing for photons to travel from the sensor emitter to a target and back to the sensor receiver. There are two types of ToF schemes, direct and indirect. Direct ToF sensors emit light pulses on the order of nanoseconds and measure the time elapsing for some of the emitted light to return. Indirect ToF sensors send out continuous, modulated light and measure the phase of the reflected light to calculate the distance.
8 • 2021
A QUANERGY OPA LIDAR USED FOR GAUGING PEOPLE TRAFFIC THROUGH DOORS. THESE ARE COMMERCIAL DEVICES HAVING RANGES OUT TO A FEW METERS. QUANERGY SAYS THERE ARE SUCCESSORS TO UNITS NOW ON THE DRAWING BOARD FOR AUTOMOTIVE APPLICATIONS.
The short light bursts that direct ToF systems employ typically minimizes the effect of ambient light and the effect of motion blur. The duty cycle of the illumination is also brief, leading to a low overall power dissipation. It is also possible to avoid interference from other pulsed ToF systems by judicious timing of the pulse bursts, perhaps via dynamic randomization of the pulse bursts. But because the pulse width of the transmitted light and the shutter must be the same, the system may need a precision measured in picoseconds. Similarly, illumination pulse widths are necessarily short with fast rising/falling edges (<1 nsec), putting a premium on a well-designed laser driver. The light indirect ToF sensors generally emit is a single modulated frequency in the manner of a modulated carrier wave. The principle of operation uses the fact that the frequency of the wave determines the distance over which the emitted wave completes a full cycle. When an object reflects the modulated light, the sensor detects the shift in the phase of the returning light. Knowing the frequency of the emitted light, the phase shift of the returning light, and the speed of light allows the sensor to calculate the distance to the object. The disadvantage of indirect ToF is the possibility of range ambiguity. Because the illumination signal has periodicity, any phase measurement will wrap around every 2π, thus leading to aliasing. For a system with only one modulation frequency, the aliasing distance will also be the maximum measurable distance. Multiple modulation frequencies can be used to
eeworldonline.com
|
designworldonline.com
ECONOMICAL LIDAR
solve the problem, with the true distance of an object determined when multiple phase measurements with different modulation frequencies agree on the estimated distance. This multiple modulation frequency scheme can also be useful in reducing multipath errors when the reflected light from an object hits another before returning to the sensor. ToF lidar is known for its ability to figure out the distance to the objects it illuminates. However, it can also be used to figure out the velocity of the objects in its field of view by comparing object locations in subsequent frames. The requirement for synthesizing this velocity information is a super-precise time base. There is another radar technique more specifically designed to yield velocity information. A few firms are applying the same technique to lidar, sometimes dubbing it 4D lidar because of the information it provides based on velocity. FMCW (Frequency-Modulated Continuous Wave) radar radiates a continuous wave but change its operating frequency during the measurement. The point of the FM in FMCW is to generate a time reference for measuring the distance of stationary objects. The transmitted signal increases or decreases in frequency periodically. When the detector receives an echo signal, it compares the phase or frequency of the transmitted and the received signal. The comparison gives a distance measurement because the frequency difference is proportional to the
distance. If the reflecting object has a radial speed with respect to the receiving antenna, the speed gives the echo a Doppler frequency. The radar measures both the difference frequency caused by the distance and the additional Doppler frequency caused by the speed. The kind of frequency or phase modulation the radar uses generally depends on the velocities expected in the objects being imaged. The frequency deviation per unit of time basically determines the radar resolution. A point to note is the FMCW approach is good at providing the instantaneous radial velocity (toward or away from the detector) of the objects it images. FMCW lidar is a relatively new technology; it is not clear how advantageous it may at sensing lateral (tangential or side-toside) velocity as from cross traffic, pedestrians, and so forth.
REFERENCES ANALOG PHOTONICS, HTTPS://WWW.ANALOGPHOTONICS.COM/ QUANERGY, HTTPS://QUANERGY.COM/
CONNECT WITH US! CHECK US OUT on ISSUU.COM!
eeworldonline.com Lidar — ACV HB 08-21.indd 31
7/30/21 3:39 PM
AUTONOMOUS & CONNECTED VEHICLES
R A L P H B U C K I N G H A M , WAY N E S T E WA R T • I N T E R T E K
| Courtesy of Adobe Stock
ASSESSING SAFETY AND PERFORMANCE IN CONNECTED CARS TESTING AND CERTIFICATION FOR VEHICLE AND INFRASTRUCTURE DEVICES ENSURE SOFTWARE AND SYSTEMS WILL PERFORM AS ADVERTISED.
AS CONSUMERS LOOK TO
connect their cars,
the technology behind these vehicles and their various connected components is evolving far more quickly than standards governing them can change. Consequently, manufacturers and developers sometimes lack clear standards or requirements when assessing vehicle subsystems and individual components. Instead, they are often on their own when it comes to testing. Fortunately, there are several rules of thumb, guiding principles, and certifications that can be used.
32
DESIGN WORLD — EE NETWORK
8 • 2021
Developers can evaluate systems and components via several methods and in a number of locations. Each offers its own benefits and drawbacks, so it is important to consider what will work best for the product or device in question. The following environments, or a combination of them, may be in order: Laboratory testing: A lab allows for rigorous testing in a highly controlled environment. Here, engineers can evaluate products for safety, interoperability, functionality, connectivity, electromagnetic compatibility, overall eeworldonline.com
|
designworldonline.com
CERTIFICATION TESTING
performance, and controlled environmental exposure to elements such as UV, dust, water intrusion, and more. On-road testing: Testing on the road brings real-world conditions (and often unexpected and random situations) like weather, geography, light, infrastructure, other vehicles, drivers’ actions and more. These tests can assess safety and performance over an extended period and provide a realistic view of a product’s lifespan and functions. Proving-ground analysis: Testing on a proving ground acts as a combination of lab and on-road testing. It evaluates products in a real-world environment via a predictable, safe, and controlled setting. This method ensures specific elements are included in the evaluation such as direct sunlight, weather conditions, tunnels, on-ramps, and other potential obstacles. A proving ground can also allow testing to mimic real-world environments and applications, depending on the design and capability of the facility. A thorough testing plan will integrate multiple environments and provide robust data as well as actionable results. For example, after initial proving ground testing, a product may be brought to a lab for an accelerated stress test to determine the breaking or weak points of the design (if any). Then, subsequent proving ground work can illustrate how the lab tests affected the product. All this information can be combined to identify pain points and mitigation efforts for product development, safety and performance.
INTEROPERABILITY When connected systems interact with each other, it is important to ensure they exchange information without degrading performance or function. Interoperability assessments help guarantee these systems form an integrated ecosystem within the vehicle, communicating with one another seamlessly. Testing cars and components for interoperability ensures they will work together without sacrificing performance. While the industry understands the need to ensure interoperability, today there is no standard to fully address it. So a common technique used in management systems has been adopted to assess connected device interoperability. It is a four-stage “Plan, Do, Check, Act” approach, providing an assessment methodology: eeworldonline.com | designworldonline.com
Plan: Identify improvement opportunities within a product and its systems. Use this information to identify and mitigate risk, develop an action plan, and address issues. Do: At this stage, conduct evaluations and assessments, collect analytics and data, and document issues and failures. It is important to keep all the information on hand for future use, whether for a redesign of the current product or for future development. Check: Review and analyze results from the previous stages, evaluate current processes and determine causes of failures. Use this information to determine whether interoperability goals are met or whether improvements and corrections have worked. As with other steps, documentation is important. Act: Based on the previous observations and failures, implement changes. If problems persist, return to the “Plan” and “Do” phases until interoperability goals are met. Continue to reiterate the PDCA process until a product meets interoperability requirements. One of the most effective ways to test for interoperability is to place products in a simulated environment and check for operational problems, as well as for how other devices in a system impact each other. On-road or proving ground testing help in assessing interoperability. Lab testing will also be important because software compatibility is a vital component of interoperability.
CYBERSECURITY Like any connected product, cars and their components can have cybersecurity vulnerabilities. There are several ways manufacturers can mitigate cybersecurity risk in connected cars: Develop and/or use certified products that are correctly configured. This tactic can help ensure products and components have undergone rigorous security evaluation against trusted industry standards. It will also aid in identifying security flaws early in development, reducing mitigation costs later. Obtain certification of information security management systems. An information security management system can preserve the confidentiality, integrity and availability of information by applying a risk- management process to the design of processes, information systems, and controls. 8 • 2021
Employ threat risk analysis and risk assessments (TARA), vulnerability assessments and penetration testing. Risk analysis and assessments can indicate weak points and establish fixes. Vulnerability assessments can identify latent vulnerabilities and recommendations for improvement. Pen testing illustrates how vulnerabilities can be exploited. All three can take place together or separately, depending on need. Conduct supply chain assurance assessment and certification. One compromised link within a supply chain can affect many organizations. These checks can prevent maliciously tainted and counterfeit products from entering the supply chain. Connected cars must interact with each other, the infrastructure, and other smart devices. It is important in this rapidly changing industry is to stay abreast of connected vehicle technology, threats, and consumer demands. As technology evolves, standards will begin to follow. Education and preparation help ensure the safety and performance of automated and connected vehicles.
REFERENCES INTERTEK WWW.INTERTEK.COM CONNECTED CAR TRENDS WWW.FORTUNEBUSINESSINSIGHTS.COM/ INDUSTRY-REPORTS/CONNECTED-CARMARKET-101606
DESIGN WORLD — EE NETWORK
33
AUTONOMOUS & CONNECTED VEHICLES
CONTACTLESS SENSING IN THREE DIMENSIONS FOR ADAS NO-TOUCH SENSOR ICs THAT MEASURE MAGNETIC FIELDS IN THE X, Y, AND Z PLANES HAVE BEEN OPTIMIZED FOR USE IN VEHICULAR APPLICATIONS. TYLER HENDRIGAN, FABIAN WINKLER • ALLEGRO MICROSYSTEMS
ADVANCED
driver-assistance
PL ANAR AND VERTICAL HALL ELEMENTS
systems (ADAS) have existed for well over 20 years. Many of their individual components have already become afterthoughts for drivers and are now considered a normal part of the driving experience; anti-lock braking, traction control, and tire pressure sensors are all in this category. Newer examples include parking assist, blind spot monitoring, adaptive cruise control, backup cameras, and so forth. Three-dimensional magnetic sensing is particularly useful for many of the more safety-critical systems such as those for braking, sensing pedal position, throttle, gear shift position, and more. Over the last 70 years, magnetic Hall-effect sensor technology has adapted to suit the needs of various applications. While the simplest sensors typically use a planar Hall element to measure a magnetic field orthogonal to the sensing element, 2D angle sensors use vertical Hall elements to detect a magnetic field parallel to the PCB. Three-dimensional magnetic products combine both vertical and planar technologies to sense a magnetic field in all three dimensions. The advances in IC design that make 3D Hall sensors possible allow the creation of vertical Hall elements sensitive to magnetic fields parallel to the plane of the IC. They function under the same principles as planar Hall
34
DESIGN WORLD — EE NETWORK
PL ANAR HALL ELEMENTS ARE CONSTRUCTED ACROSS THE LENGTH AND WIDTH OF THE DIE (IN-PL ANE). VERTICAL HALL ELEMENTS ARE CONSTRUCTED FROM BOTTOM TO TOP ALONG THE DEPTH OF THE CHIP. ADVANCES IN IC DESIGN AND FABRICATION ALLOW THE CREATION OF VERTICAL HALL ELEMENTS SENSITIVE TO MAGNETIC FIELDS PARALLEL TO THE PL ANE OF THE IC. THEY FUNCTION UNDER THE SAME PRINCIPLES AS PL ANAR HALL ELEMENTS, WHICH ARE SENSITIVE ONLY TO MAGNETIC FIELDS PERPENDICUL AR TO THE PL ANE OF THE IC. THIS Z-A XIS SENSITIVIT Y IS NOT ALTERED BY THE SENSOR IC ORIENTATION OR ROTATION. THREE-DIMENSIONAL HALL ICS WITH THREE SENSING ELEMENTS CAN SENSE IN MULTIPLE SPATIAL DIMENSIONS.
8 • 2021
eeworldonline.com
|
designworldonline.com
CONTACTLESS SENSING THE ANGLE OF AN APPLIED FIELD CAN BE CALCUL ATED USING MAGNETIC DATA FROM T WO A XES OF A 3D HALL SENSOR CALLED THE ALS31300 AND A FOUR-QUADRANT ARC TANGENT FUNCTION. FOR THIS EX AMPLE, A DISC MAGNET IS MAGNETIZED DIAMETRICALLY. THE DRAWINGS SHOW REFERENCE ORIENTATIONS OF PUCK MAGNETS AND THEIR POLES COMPARED TO THE X, Y, AND Z A XES OF THE ALS31300. IN THE LEFT ORIENTATION, THE MAGNET IS ROTATING AROUND THE Z A XIS, AS INDICATED BY THE WHITE ARROW, WHILE SENSING MAGNETICS WITH X AND Y. IN THE ORIENTATION ON THE RIGHT, THE MAGNET IS ROTATED ABOUT THE Y A XIS, WHILE USING X AND Z CHANNELS TO SENSE. THE THIRD ORIENTATION CAN BE USED WITH A MAGNET ROTATING AROUND THE X A XIS AND SENSING WITH Y AND Z.
elements, which are sensitive only to magnetic fields perpendicular to the plane of the IC. Planar Hall elements are constructed across the length and width of the die (in-plane). Vertical Hall elements are constructed from bottom to top along the depth of the chip. Thus 3D Hall sensors are a combination of vertical and planar Hall elements. Newer 3D sensor technology operates over a -40 to 150°C range. Rotary sensing applications for 3D magnetic sensors include knobs, dials, joysticks, and any internal position components, such as throttle and pedal position. Consequently, 3D sensors are often found in driver comfort and entertainment systems. Linear applications can include pressure sensors and positional
sensors for items such as automotive leverbased solutions, brake cylinders, etc. Many systems that include magnetic sensors have tight space constraints. One of the advantages of 3D magnetic sensors is in the flexibility of placement. If there isn’t enough space near the magnet, the sensor can be repositioned to sense movement farther away or from a different location. These options may help ease concerns about PCB design constraints. In some cases, 3D sensors can help reduce the total PCB size because designers can adjust the IC orientation as needed. A notable improvement in new updated 3D sensors for linear applications is angle calculation. The ability to calculate angles helps allow for dynamic air-gap changes and
makes possible longer ranges of motion for a given magnet length. Three-D magnetic sensing can handle larger air gaps than circular vertical Hall (CVH) technology. It is now common for vehicle firmware to be updated via over-the-air (OTA) downloads. This kind of updating can also extend to sensors. For example, many newer Allegro MicroSystems sensors allow EEPROM programming directly through the microprocessor. Low-voltage programming through sensor outputs regardless of the interface (e.g., analog, SAE J2716 SENT, PWM, I2C), allows direct programming by a microcontroller in embedded designs and simplifying the interface for end-of-line system calibration.
It’s not a web page, it’s an industry information site So much happens between issues of R&D World that even another issue would not be enough to keep up. That’s why it makes sense to visit rdworldonline.com and stay on Twitter, Facebook and Linkedin. It’s updated regularly with relevant technical information and other significant news for the design engineering community.
rdworldonline.com Allegro — ACV HB 08-21.indd 35
7/30/21 3:45 PM
AUTONOMOUS & CONNECTED VEHICLES ALS31300 FUNCTIONAL BLOCK DIAGRAM This low-voltage programming option also opens up new system architectures with remote field-replaceable sensor module designs that can be programmed by the electronic control unit (ECU). In the case of torque and angle sensors, this facility simplifies the servicing of electric power steering systems when sensors are recalibrated after the service is complete. In contrast, it takes approximately 15~16-V signals to program the EEPROM in several competing sensor technologies. These levels can damage other components in the system unless protection diodes are built in at added cost. Advances in magnetic sensing technology now sometimes let a single part take the place of multiple previous-generation components. Besides reducing assembly costs, these advances tend to reduce stray fields and lower system wear. In automotive entertainment interfaces, for example, joysticks and dials/knobs may now employ a single contactless sensor. Designers increasingly look for devices that are self-contained and able to monitor themselves for accuracy and battery use. Some higher-end devices work especially well in the automotive market because they can handle higher supply voltages and can be offered in both single-die and dual-die versions. This practice allows for redundancy in tasks that need ASIL B and ASIL D ratings. Following Safety Element out of Context (SEooC) functional safety guidelines, the A31315 sensor supports ASIL-B (single die) and ASIL-D (dual die) systemlevel integration in accordance with ISO 26262 and is automotive qualified to AEC-Q100 Grade 0. The 3DMAG line of 3D magnetic sensors incorporate newly integrated features like CORDIC algorithms and linearization. CORDIC, coordinate rotation digital computer, is a hardware-efficient iterative method which uses rotations to calculate elementary trigonometric, hyperbolic, exponential, and other functions. CORDIC is commonly used when no hardware multiplier is available as it only requires additions, subtractions, bit-shifts and lookup tables. CORDIC is generally faster than other approaches when a hardware multiplier is not available or when it’s necessary to minimize the number of gates. Individual sensors increasingly perform calculations that are otherwise managed centrally, potentially enabling the use of lower-cost ECUs.
REFERENCES ALLEGRO MICROSYSTEMS, ALLEGROMICRO.COM
36
DESIGN WORLD — EE NETWORK
ALS31300 TYPICAL APPLICATION CIRCUIT
AN EX AMPLE OF A 3D HALL SENSOR IS THE ALS31300 3DMAG POSITION SENSOR IC WHICH PROVIDES A 12-BIT DIGITAL VALUE CORRESPONDING TO THE MAGNETIC FIELD MEASURED IN EACH OF THE X, Y, AND Z A XES. THE ALS31300 IS PRECONFIGURED FOR USE IN 3D SENSING APPLICATIONS FOR HEAD-ON LINEAR MOTION, SLIDE-BY POSITION SENSING, AND ROTATION ANGLE MEASUREMENTS. THE CHIP IS ALSO OFFERED IN JOYSTICK MODE, INCLUDING A LOW-GAIN OPTION FOR THE Z-A XIS CHANNEL. THIS FEATURE ENABLES THE USE OF A BACK-BIAS MAGNET TO PROVIDE RETURN-TOZERO FORCE INSTEAD OF TRADITIONAL SPRING -BASED SOLUTIONS. THREE DIFFERENT FACTORY-PROGRAMMED SENSITIVIT Y RANGES ARE AVAIL ABLE: ±500 G, ±1,000 G, AND ±2,000 G. THE I2C ADDRESS OF THE ALS31300 CAN BE SET EITHER BY EXTERNAL RESISTORS (16 UNIQUE ADDRESSES) OR PROGRAMMED INTO EEPROM VIA I 2 C (127 UNIQUE ADDRESSES), ALLOWING FOR MULTIPLE DEVICES ON THE SAME BUS.
8 • 2021
eeworldonline.com
|
designworldonline.com
Focused.
Informed.
Actionable.
Learn more about upcoming sessions at roboweeks.com
AUTONOMOUS & CONNECTED VEHICLES
NIST TAKES AIM AT
POSITIONING SYSTEM SECURITY A NEW REPORT GIVES GUIDANCE ON CYBERSECURITY FOR POSITIONING, NAVIGATION, AND TIMING SERVICES.
THE
National Institute of Standards
and Technology recently came out with a set of guidelines called the Foundational PNT Profile (NISTIR 8323). The document is billed as a voluntary tool that can help organizations increase resilience through responsible use of PNT (position, navigation, and timing). NIST defines “responsible” use as deliberate, risk-informed use of PNT services. The definition covers PNT acquisition, integration, and deployment, such that disruption or manipulation of services minimally affects national security, the economy, public health, and the critical functions of the Federal Government. The report consists largely of tabular guidelines organized to promote application of the Foundational Profile to unique missions, business environments, and technologies and thereby create or refine a security program that will include the responsible use of PNT services. NIST created the PNT Profile by applying the NIST Cybersecurity Framework (CSF). The Cybersecurity Framework is a set of guidelines aimed at helping private sector companies be better prepared in identifying, detecting, and responding to cyber-attacks. NIST points out that five key considerations consistently emerge from the PNT profile document:
38
DESIGN WORLD — EE NETWORK
NIST SAYS THE PNT PROFILE CAN BE USED AS A FOUNDATION FOR BUILDING A CUSTOM PROFILE AS DEPICTED HERE. A CUSTOM PROFILE CAN BE BUILT USING THE BUSINESS OBJECTIVES, THREAT ENVIRONMENT, REQUIREMENTS, AND CONTROLS AS INPUTS
Make sure you’ve accounted for all devices and systems that somehow touch PNT services and hosts that use PNT services. The use of PNT data may not be obvious. Incorporate alternate PNT sources and ensure systems can fail-over to these alternates in the event of a disruption. Though it may seem obvious, it’s important to implement procedures that detect PNT data manipulation, disruption or other relevant cybersecurity events. Comparison 8 • 2021
of multiple complementary sources and communication paths for PNT may help detect manipulation of PNT services. Also in the relatively obvious category, develop policies, procedures, and plans to respond to a disruption or manipulation of PNT services. Develop recovery plans to restore systems affected by a PNT service disruption or manipulation to a proper working state. NIST says the CSF provides prioritized, eeworldonline.com
|
designworldonline.com
POSITIONING SYSTEM SECURITY
CYBERSECURITY FRAMEWORK SUBCATEGORY EX AMPLE Function
Category
Subcategory
Informative References
IDENTIFY Asset Management (ID.AM): ID.AM-1: Physical devices and systems (ID) The data, personnel, devices, within the organization are inventoried systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the ID.AM-2: Software platforms and organization’s risk strategy. applications within the organization are inventoried
CIS CSC 1 COBIT 5 BA109.01, BA109.02 ISA 62443-2-1:2009 4.2.3.4 ISA 62443-3-3:2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 NIST SP 800-53 Rev. 4 CM-8, PM-5 CIS CSC 2 COBIT 5 BA109.01, BA109.02, BA109.05 ISA 62443-2-1:2009 4.2.3.4 ISA 62443-3-3:2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A.8.1.2, A.12.5.1 NIST SP 800-53 Rev. 4 CM-8, PM-5
AN EXAMPLE FROM THE NIST PROFILE OF TWO SUBCATEGORIES AND APPLICABLE REFERENCES WITHIN THE ASSET MANAGEMENT CATEGORY. REFERENCES ARE EXISTING STANDARDS, GUIDELINES, AND PRACTICES THAT PROVIDE PRACTICAL GUIDANCE TO HELP AN ORGANIZATION ACHIEVE THE DESIRED OUTCOME OF EACH SUBCATEGORY.
flexible, risk-based, and voluntary guidance, based on existing standards, guidelines, and practices, to help organizations better understand, manage, and communicate cybersecurity risks. The CSF is organized by five high-level functions: Identify, Protect, Detect, Respond, and Recover. These functions are designed to help develop guidance on cybersecurity risk management as applied to PNT services.
The Identify Function IDs key elements which should be eyeballed in this analysis. Consideration of the threat environment and the organization’s purpose, assets, and vulnerabilities will have a significant influence on the overall risk. Objectives include identifying the business/operational environment and organization’s purpose; identifying all assets, including applications depending on PNT data; identifying sources and infrastructure that provide PNT information; and identifying the vulnerabilities, threats, and impact should the worst happen. The Protect Function includes development, implementation, and verification measures to prevent the system from going down in eeworldonline.com | designworldonline.com
the case of PNT disruption or manipulation. Objectives include protecting the systems forming, transmitting, and using PNT data to assure a level of integrity, availability and confidentiality based on application needs; protecting the deployment and use of PNT services by applying cybersecurity principles, including understanding the baseline qualities and application tolerances of the PNT sources, data, and any contextual information; protect users and applications that depend on PNT data, should a threat be realized, by maintaining operations through response and recovery plans; and protect organizations relying on PNT services and data with respect to business and operational needs.
The Detect Function concerns ways of monitoring for anomalous events and notifying downstream users and applications that there’s a problem. Objectives include enabling detection through monitoring and consistency checking, and establishing a process for handling detected anomalies and events. The Respond Function addresses the development and implementation of activities 8 • 2021
DESIGN WORLD — EE NETWORK
39
AUTONOMOUS & CONNECTED VEHICLES
connected with responding to and containing a detected cybersecurity (and/ or anomalous) event. Objectives include containing the event with a well-defined response procedure; communicating what happened to PNT data users, applications, and stakeholders and how the event impacts PNT data; developing ways of responding to and mitigating known or anticipated threats and/or vulnerabilities; and evolving response strategies and plans based on lessons learned.
The Recover Function involves restoring capabilities or services impaired in a cybersecurity event. The activities support timely recovery to normal operations and getting the organization back to normal. Objectives including coming up with procedures to restore systems that depend on PNT services; communicating with PNT data users, applications, and stakeholders about recovery activities and status; and evolving recovery strategies and plans based on lessons learned. NIST says the PNT Profile categories are designed to provide the information an organization needs to undertake the process of managing risks against potential disruption and manipulation of the PNT services, including networks and components that transmit or use PNT data. The “Applicability to PNT” column in Section 4 of the PNT Profile contains the intended outcomes of responsible PNT use. Mitigation measures are provided in the reference column to aid each subcategory implementation.
CYBERSECURITY FRAMEWORK FUNCTIONS AND CATEGORIES Function Unique Identifier
Category Unique Identifier
Category
ID.AM ID.BE ID.GV ID.RA ID.RM ID.SC
Asset Management Business Environment Governance Risk Assessment Risk Management Strategy Supply Chain Risk Management
PR.AC PR.AT PR.DS PR.IP PR.MA PR.PT
Access Control Awareness and Training Data Security Information Protection Processes and Procedures Maintenance Protective Technology
Detect
DE.AE DE.CM DE.DP
Anomalies and Events Security Continuous Monitoring Detection Processes
RS
Respond
RS.RP RS.CO RS.AN RS.MI RS.IM
Response Planning Communications Analysis Mitigation Improvements
RC
Recover
RC.RP RC.IM RC.CO
Recovery Planning Improvements Communications
Function
ID
Identify
PR
Protect
DE
THE FIVE FUNCTIONS AND 23 CATEGORIES OF THE NIST PROFILE CORE. IN THE NIST PROFILE, FUNCTIONS PROVIDE A HIGH-LEVEL, STRATEGIC VIEW OF THE LIFE CYCLE OF AN ORGANIZATION’S MANAGEMENT OF PNT CYBERSECURITY RISK. THE FRAMEWORK CORE THEN IDENTIFIES UNDERLYING CATEGORIES AND SUBCATEGORIES FOR EACH FUNCTION. THE 108 SUBCATEGORIES ARE DISCRETE CYBERSECURITY OUTCOMES ARE ORGANIZED INTO 23 CATEGORIES LIKE ASSET MANAGEMENT OR PROTECTIVE TECHNOLOGY.
REFERENCES FOUNDATIONAL PNT PROFILE (NISTIR 8323), HTTPS:// NVLPUBS.NIST.GOV/NISTPUBS/ IR/2021/NIST.IR.8323.PDF
40
DESIGN WORLD — EE NETWORK
8 • 2021
eeworldonline.com
|
designworldonline.com
WEBINAR SERIES
CUSTOM CONTENT IN A LIVE, INTERACTIVE OR ON-DEMAND FORMAT. CHECK OUT OUR WEBINARS TODAY: ■
designworldonline.com/category/webinars
■
fluidpowerworld.com/category/webinars
■
therobotreport.com/category/robotic-webinars
■
eeworldonline.com/category/webinars
■
solarpowerworldonline.com/category/featured/webinars
■
windpowerengineering.com/category/featured/webinars
■
medicaldesignandoutsourcing.com/webinars
WTWH MEDIA’S WEBINARS OFFER: • Coverage of a wide range of topics • Help engineers better understand technology or product related issues and challenges • Present educational material related to specific topics
Medical edical Design & OUTSOURCING
Webinars-FullPgAd.indd 1
4/8/20 4:16 PM
AUTONOMOUS & CONNECTED VEHICLES
POWERING EVs WITH SILICON CARBIDE
CHARLIE ICE, SILICON LABS
A FLYBACK CONVERTER/ISOLATED-GATE-DRIVER COMBO REDUCES THE COST AND COMPLEXITY OF IMPLEMENTING SiC FET DESIGNS IN EV SYSTEMS.
ELECTRIC VEHICLES are pushing the limits of today’s power conversion technology, and the advent of high-power silicon-carbide (SiC) FETs has pushed the envelope even further. The many advantages of SiC FETs allow for higher switching speeds and higher voltages yielding smaller magnetics, lighter-weight cables, and higher efficiencies. These improvements have given electric vehicles a greater range and more capabilities. New gate-drive techniques are required for SiC FET designs. One requirement is that they include negative gate voltages to ensure SiC FETs stay completely off. Generation of these negative voltages requires use of an isolated power supply. Thus the design of SiC gate drives may seem to be a daunting task. However, a review of half-bridge fundamentals and flyback converter techniques can quickly demystify the necessary steps in the design. At the heart of the onboard chargers (OBCs), main dc-dc converters, traction inverters, and many other systems that make up EVs are two switching devices. They are typically depicted in schematics as being stacked one on top of the other, forming a half bridge. Half bridges allow the center node between the two switching devices to be efficiently pulled to the positive or negative rail. In an EV, these rails are typically
42
DESIGN WORLD — EE NETWORK
the dc link rails which can reach 800 or even 1,000 V with the latest SiC FET technology. Unfortunately, stacking the FETs in a half- bridge configuration requires special attention to gate driver ground references. To turn on a FET, the gate-source voltage, VGS, must be raised to a certain level, usually ~15 V for SiC FETs. Gate drivers typically pull the gate voltage to their VDD rail to turn on the FET. If the gate drivers use the same power rails, and the high-side gate driver’s ground is tied to the negative rail (dc link-), the output of the high-side gate driver is referenced to the dc link-. This ground connection creates many issues and simply does not work. For example, if the low-side FET is off, the source of the high-side FET floats relative to the high-side gate driver, and VGS is unknown. The solution: The two gate drivers use separate power supplies, and the high-side gate driver’s ground is tied to the source of the high-side FET. In this configuration, the high-side gate driver is referenced to the FET source connection; so, even as the FET source rises to dc link+, the gate-source voltage remains the same. With the high-side gate drive issue solved, the next step is to generate power supplies for the gate drivers and negative gate voltage. The correct connection uses separate power supplies, and the highside gate driver ground is tied to the highside FET’s source. The process of designing supplies for the gate drivers in a half bridge can often become a daunting endeavor involving dc-dc controllers, transformers, and PCB area constraints. The negative gate 8 • 2021
HALF BRIDGE
SiC FETS IN A HALF-BRIDGE CONFIGURATION. HALF BRIDGES ALLOW THE CENTER NODE, SHOWN BY THE BLUE CIRCLE, TO BE EFFICIENTLY PULLED TO THE POSITIVE OR NEGATIVE RAIL. IN AN EV, THESE RAILS ARE T YPICALLY THE DC LINK RAILS, WHICH CAN REACH 800 OR EVEN 1,000 V WITH THE L ATEST SIC FET TECHNOLOGY.
eeworldonline.com
|
designworldonline.com
POWER CONVERSION FOR EVs THE WRONG WAY AND RIGHT WAY TO DRIVE SiC GATES
voltage requirement of SiC FETs further complicates supply design. Finally, most EV systems connect to the high-voltage dc link and require that the low-voltage control portion be isolated from the high-voltage power conversion stage. However, with a few upgrades, a flyback converter can be modified to meet all of these requirements. Most EVs today have a main dc-dc converter that steps the dc link voltage down to the lower voltage rails (typically 12 and 48 V) used by most low-power electronic systems. By means of an isolated flyback converter, one of these low-voltage rails can be used to power the isolated gate drivers. In a typical configuration, a flyback converter’s transformer provides isolation and has two separate secondary side windings to create two supplies for the two gate drivers. Because the two outputs are coupled by the transformer, eeworldonline.com
|
designworldonline.com
the dc-dc controller only directly regulates one of the two outputs. The other output is indirectly regulated through the interwinding coupling of the transformer. This configuration causes the indirectly regulated output to perform slightly worse than the directly regulated output but not enough to impact the overall system. Use of a single transformer and converter for both outputs reduces board space and cost. By leveraging this configuration, the transformer can be further modified to create the negative gate voltage required by SiC FETs. Now consider a flyback transformer modified to with taps in the middle of each of the two output windings (denoted VMIDA and Vmidb in the nearby schematic). In the high-side gate driver power domain, the middle tap creates a positive voltage relative to one of the end taps 8 • 2021
AN INCORRECT GATE DRIVER CONNECTION (LEFT) AND A CORRECT CONNECTION (RIGHT). IF THE GATE DRIVERS USE THE SAME POWER RAILS, AND THE HIGH-SIDE GATE DRIVER GROUND IS TIED TO THE NEGATIVE RAIL (DC LINK -), THE OUTPUT OF THE HIGH-SIDE GATE DRIVER IS REFERENCED TO THE DC LINK. THIS CREATES MANY ISSUES AND SIMPLY DOES NOT WORK. FOR EX AMPLE, IF THE LOW-SIDE FET IS OFF, THEN THE SOURCE OF THE HIGHSIDE FET IS FLOATING REL ATIVE TO THE HIGH-SIDE GATE DRIVER, AND VGS IS UNKNOWN. THE SOLUTION: THE T WO GATE DRIVERS USE SEPARATE POWER SUPPLIES, AND THE HIGH-SIDE GATE DRIVER’S GROUND IS TIED TO THE SOURCE OF THE HIGH-SIDE FET.
DESIGN WORLD — EE NETWORK
43
AUTONOMOUS & CONNECTED VEHICLES POWERING ISOL ATED GATE DRIVERS A HALF BRIDGE WITH A DUALOUTPUT FLYBACK CONVERTER FOR POWERING ISOL ATED GATE DRIVERS. HERE, THE 12-V RAIL POWERS BOTH THE PRIMARY SIDE AND SECONDARY SIDES OF THE ISOL ATED GATE DRIVERS. THE FLYBACK CONVERTER’S TRANSFORMER PROVIDES ISOL ATION AND HAS T WO SEPARATE SECONDARY SIDE WINDINGS TO CREATE T WO SUPPLIES FOR THE T WO GATE DRIVERS. BECAUSE THE T WO OUTPUTS ARE COUPLED BY THE TRANSFORMER, THE DC -DC CONTROLLER ONLY DIRECTLY REGUL ATES ONE OF THE T WO OUTPUTS. THE OTHER OUTPUT IS INDIRECTLY REGUL ATED THROUGH THE INTERWINDING COUPLING OF THE TRANSFORMER.
Santa Clara Convention Center
2022 CO-LOCATED EVENT
robobusiness.com
Sponsorship opportunities are available for future ROBOBusinessDirect programs.
For more information, contact
COURTNEY NAGLE
cseel@wtwhmedia.com | 440.523.1685
SiLabs — ACV HB 08-21.indd 44
7/30/21 3:44 PM
POWER CONVERSION FOR EVs FLYBACK TRANSFORMER WITH SPECIAL TAPS
(VGNDA in the schematic) and a negative voltage with respect to the other (VDDA). The source of the high side FET is tied to the middle tap (VMIDA) and the gate driver remains referenced to the low tap (VGNDA). When the gate driver turns the FET off, it pulls the FET gate to its ground. This causes the voltage on the gate of the FET (VGNDA) to be below that of the source voltage (VMIDA). The connection creates a negative gate voltage to ensure the SiC FET is held in the off state. Note this configuration also changes the gate-source voltage when the gate driver turns the high-side SiC FET on and pulls the FET gate to the high-side tap voltage (VDDA). Adjusting the transformer turns ratio between the middle tap and the high and low taps (VDDA to VMIDA and VMIDA to VGNDA) sets the middle-tap voltage (VMIDA). Likewise, this same operation applies to the low-side gate driver power domain. Many isolated gate driver devices, such as the Silicon Labs Si828x, include a dedicated VMID pin to sense the drain-to-source voltage across the SiC FET for desaturation detection. To further reduce cost and board space, many isolated gate drivers include a built-in dc-dc controller. The Silicon Labs Si828x also includes eeworldonline.com
|
designworldonline.com
THE FLYBACK TRANSFORMER MODIFIED WITH TAPS FOR VMIDA AND VMIDB TO THE T WO OUTPUT WINDINGS. IN THE HIGH SIDE GATE DRIVER POWER DOMAIN, HIGHLIGHTED IN BLUE, VMIDA CREATES A POSITIVE VOLTAGE REL ATIVE TO VGNDA AND A NEGATIVE VOLTAGE WITH RESPECT TO VDDA. THE SOURCE OF THE HIGH SIDE FET IS TIED TO VMIDA, AND THE GATE DRIVER REMAINS REFERENCED TO VGNDA. WHEN THE GATE DRIVER TURNS THE FET OFF, IT PULLS THE FET GATE TO ITS GROUND RESULTING IN THE VOLTAGE ON THE GATE OF THE FET (VGNDA) GOING BELOW THE SOURCE VOLTAGE (VMIDA). NOW A NEGATIVE GATE VOLTAGE ENSURES THE SIC FET IS HELD IN THE OFF STATE. NOTE THIS ALSO CHANGES THE GATE-SOURCE VOLTAGE WHEN THE GATE DRIVER TURNS ON THE HIGH-SIDE SIC FET AND PULLS THE FET GATE TO VDDA. ADJUSTING THE TRANSFORMER TURNS RATIO BET WEEN VDDA TO VMIDA AND VMIDA TO VGNDA SETS THE VMIDA VOLTAGE. LIKEWISE, THIS SAME OPERATION APPLIES TO THE LOW-SIDE GATE DRIVER POWER DOMAIN, HIGHLIGHTED IN GREEN.
this feature. The integrated dc-dc controller eliminates the need for a separate controller IC and often makes optocoupler feedback unnecessary because the isolated gate driver passes the feedback across the isolation barrier internally. Thus through use of a flyback converter with a sophisticated transformer design, a single dc-dc converter can power the isolated gate drivers and generate the negative gate voltage. A sophisticated flyback converter coupled with the latest innovations in isolated gate drivers simplifies the task of driving SiC FETs in half-bridge configurations. It also reduces the cost and complexity of implementing SiC FET designs in the many EV systems using half bridges. As systems from onboard chargers to traction inverters adopt SiC FETs, electric vehicles gain higher efficiency, can work at higher voltages, and employ lighterweight components, truly making them the automobiles of the future.
8 • 2021
REFERENCES SILICON L ABS, W W W.SIL ABS.COM MA XIMIZING THE PERFORMANCE OF SIC THROUGH GATE DRIVE TECHNIQUES, HT TPS://W W W. POWERELECTRONICTIPS.COM/ MA XIMIZING -THE-PERFORMANCEOF-SIC -THROUGH-GATE-DRIVETECHNIQUES -FAQ/
DESIGN WORLD — EE NETWORK
45
AUTONOMOUS & CONNECTED VEHICLES
MEMORY AND FUNCTIONAL SAFETY IN AUTONOMOUS VEHICLES AS SOFTWARE AND ITS ASSOCIATED MEMORY FOOTPRINT CONTINUE TO EXPAND IN VEHICLES, AUTOMOTIVE SYSTEM DESIGNERS NEED A DEEPER UNDERSTANDING OF DRAM AND ITS IMPACT. ROBERT BIELBY • MICRON TECHNOLOGIES
TODAY’S
high-end vehicles are recognized
as among the largest embedded software applications in the world, with a total memory footprint expected to
ASIL
Failure Rate (FIT)
LFM
SPFM
A
< 1,000
—
—
B
<100
≥ 60%
≥ 90%
grow from today’s staggering 100 million lines of code
C
<100
≥ 80%
≥ 97%
to over 300 million lines of code by 2030. Of course, the
D
<10
≥ 90%
≥ 99%
catalyst for this exponential growth is the move towards
FOR HARDWARE COMPONENTS, ASIL REQUIREMENTS IDENTIFY THE REQUISITE VALUES FOR FAILURE METRICS. LFM = LATENT FAULT METRIC, SPFM= SINGLE-POINT FAULT METRIC.
fully autonomous vehicles.
Malfunctions are classified into two types of failures
Several safety mechanisms are employed at the memory hardware and system levels:
Whereas 10 years ago a more modest microcontroller might contain 50 million transistors, GPUs that can be found in today’s high-end cars can employ more than 25 billion transistors, an increase of 500X in a 10-year time frame. The increase in transistor count is also a good proxy for the overall increase in vehicular systemlevel complexity. And today, the automobile is widely considered to be one of the main drivers of many complex leading-edge products and technologies. Automotive applications have pushed semiconductors into the functional safety arena. It is important to note that the first edition of the functional safety standard ISO 26262 published in 2011 was primarily limited to electrical and/or electronic systems with almost no consideration for semiconductors. However, since then, the focus has broadened to include the semiconductor industry -- IC manufacturers, IP providers, and EDA companies. Eventually, with the second edition of the 26262:2018 specification came the addition of part 11 which is dedicated to semiconductors. The ISO 26262 standard defines functional safety as the “absence of unreasonable risk due to hazards caused by malfunctioning behavior of electrical/ electronic systems.”
• Systematic failures: These are failures that happen in a deterministic manner — typically introduced during product design or development. These failures are generally addressed by adopting well-documented processes and methodologies, including safety planning, safety concept documentation, requirements traceability, proactive safety analysis tools, robust verification, operational procedures, and other associated factors. • Random failures: These are failures that appear arbitrarily during the lifetime of a device. Random failures can be further divided into two categories: transient faults (single-event upsets or soft errors) or permanent faults (hard errors such as stuck at a logic level). These types of failures are generally addressed by introducing safety mechanisms that help identify the faults so the system can take actions such as correcting the fault or maneuvering to maintain a safe state.
• Redundancy — Typically implemented at the hardware level. • Cyclic redundancy check — Typically used for error detection. • Error correction code — Generally used for both error detection and correction. • Built-in-self-test — Takes the form of additional circuitry that verifies accurate device operation, either continuously or during power-up.
46
DESIGN WORLD — EE NETWORK
8 • 2021
Various metrics measure the effectiveness of the safety mechanisms used to detect random failures in time (FIT) and the likelihood of risk. These metrics include single-point fault metric (SPFM) and latent fault metric (LFM), both used to measure the functional safety of a given hardware component.
ASILS ASIL refers to the Automotive Safety Integrity Level. There are four ASIL levels defined by the ISO 26262 standard. ASIL A systems
eeworldonline.com
|
designworldonline.com
ISO 26262:2018 Part 8, Clause 13 classifications
MEMORY AND FUNCTIONAL SAFETY
Resistor Capacitor Class I: Basic Transistor Diode Quartz Resonator Class II: Intermediate
Fuel pressure sensor Temperature sensor Analog Digital Converter (ADC)
Microprocessor Class III: Complex Microcontroller Digital Signal Processor (DSP)
ISO 26262:2018 PART 8, CLAUSE 13 CLASSIFICATION OF HARDWARE ELEMENTS.
have the least stringent level of safety reduction, whereas ASIL D is the most stringent. Higher ASIL levels typically imply rising cost and complexity, thus the ASIL level required for a given system directly correlates to the severity, exposure and controllability of that system’s failure on the operation of the vehicle. Memory and storage in the modern vehicle is expected to grow and total to more than 1 TB. Thus there is understandably an ever-increasing focus on the role of memory in achieving functional safety levels. The ISO 26262:2018 release had a focus on semiconductors. Specifically, Part 8, Clause 13 classifies a hardware element as either, basic, intermediate, or complex – a reference to the general complexity of a given semiconductor device or sensor. Historically, DRAM has been classified as a Class II – intermediate device, which belies the underlying complexity of DRAM. The underlying circuitry within a DRAM makes it apparent that DRAM would be more appropriately recognized in the Class III Complex range. The complexities include the following:
When designing automotive applications such as ADAS, system architects typically use commercial-off-the-shelf (COTS) devices, or automotive derivatives of these devices. There is a wide range of available auto-qualified COTS components including LPDDR4 and LPDDR5 DRAM. Sometimes, designers may assume that legacy error-handling measures sufficiently address the end application. They don’t evaluate the effectiveness of these measures when used as safety mechanisms. Examples might include the use of in-line or sideband
• Multiple states, operating modes, registers • Many internal states/modes cannot be tested or analyzed without deep knowledge of implementation details and/ or access to test modes • Many failure modes cannot be identified, understood, and analyzed without knowledge of the design, implementation, and production process • Safety mechanisms relevant for the safety concept are integrated
ECC on the host SoC – similar to its use in server or consumer applications. The rationale for this type of memory is that the host-ECC adequately covers the external DRAM. However, in the context of functional safety, and for some of the reasons described earlier (why DRAM should be considered a Class III hardware element), it becomes clear that standard host-ECC schemes do not perfectly cover all potential failure modes in the external DRAM. As such,
diagnostic coverage of traditional hostbased ECC solutions may be sufficient only for applications requiring up to ASIL B. Because the automotive code footprint is expected to reach 300 million lines, a detailed understanding of DRAM operation is becoming necessary for achieving the requisite ASIL level. Detailed understanding and modeling of DRAM makes it clear that a classification as a Category II Hardware Element is over-simplistic. To go beyond ASIL B, designers should specify a memory with systematic fault coverage addressed by an ISO 26262-certified process. Designers should also request data regarding any safety mechanisms that address such items as latent faults and multiple bit errors, as well as about other features that can help reach the ASIL target. Also recommended is that designers work closely with the memory supplier and the associated Functional Safety Office to design guidelines, associated random fault coverage features
Failure Modes in DRAM
Host-ECC (e.g. in-line SECDED ECC, 64+8b)
Data corruption – Single-bit error
100% detection and correction
Data corruption – Double-bit error
100% detection (if no aliasing from internal ECC)
Data corruption – Multi-bit error
~70% detection
Addressing error
No detection
Data not written
No detection
Old / default output data
No detection
STANDARD HOSTECC SCHEMES DO NOT PERFECTLY COVER ALL POTENTIAL FAILURE MODES IN THE EXTERNAL DRAM.
(as applicable) are employed for the desired ASIL level. It’s important for system designers to keep in mind that memory by itself can’t be the whole safety solution for vehicles. Designers are ultimately responsible for building-in redundancies and safety mechanisms and for ensuring the holistic system design is safe and reliable.
REFERENCES MICRON TECHNOLOGIES, MICRON.COM CONDITIONS FOR A SAFE STATE OF AUTOMATED ROAD VEHICLES, HTTPS://WWW.RESEARCHGATE.NET/ PUBLICATION/282564618_CONDITIONS_FOR_A_SAFE_STATE_OF_AUTOMATED_ROAD_VEHICLES#:~:TEXT=A%20 SAFE%20STATE%20AS%20’AN,BELOW%20AN%20UNREASONABLE%20LEVEL%2C%20WHERE
eeworldonline.com | designworldonline.com
8 • 2021
DESIGN WORLD — EE NETWORK
47
AD INDEX AU T O NO M O US & C O N N EC T E D V E HI CL E S H A N D BO O K • AU G US T 2021
Coilcraft................................................................. BC
LEMO USA, Inc....................................................... 19
Digi-Key..................................................... Snipe, IFC
Newark, An Avnet Company................................ IBC
Keystone Electronics Corp....................................... 1
SALES
LEADERSHIP TEAM Neel Gleason ngleason@wtwhmedia.com 312.882.9867 @wtwh_ngleason
Jami Brownlee jbrownlee@wtwhmedia.com 224.760.1055 Jim Dempsey jdempsey@wtwhmedia.com 216.387.1916
Courtney Nagle cseel@wtwhmedia.com 440.523.1685
Mike Francesconi mfrancesconi@wtwhmedia.com 630.488.9029
Jim Powers jpowers@wtwhmedia.com 312.925.7793 @jpowers_media
Publisher Mike Emich memich@wtwhmedia.com 508.446.1823 @wtwh_memich Managing Director Scott McCafferty smccafferty@wtwhmedia.com 310.279.3844 @SMMcCafferty EVP Marshall Matheson mmatheson@wtwhmedia.com
N
W
ORLD
805.895.3609 @mmatheson
@DES 48
DESIGN WORLD — EE NETWORK
8 • 2021
IG
eeworldonline.com | designworldonline.com
7x more semis 3x more passives 2x more interconnect Fast & free shipping* Choose from a new and expanded range of board-level components with free shipping on orders over $150 USD & faster delivery. SHOP THE WAY YOU PREFER
newark.com order@newark.com / quote@newark.com
1 800 463 9275 7:00 a.m. – 8:00 p.m. M-F (EST)
newark.com/technical-support 1 877 736 4835
E-PROCUREMENT SYSTEMS We can link with any eProcurement system, and our dedicated e-team will facilitate your implementation. Email: eproc@newark.com
GLOBAL REACH, LOCAL RESOURCES · 10 million products available, 950,000 in stock · Supporting 46 websites in 27 languages · Authorized distributor for 3000+ brands globally
SHIPPING Order
Time
Domestic
M-F by 9:00 p.m. (EST)
Export M-F by 6:00 p.m. (EST) In-stock products normally ship the same day
NO MINIMUM ORDER FEES
NEW! FREE SHIPPING, FASTER DELIVERY, GLOBAL INVENTORY Access our global inventory with free shipping on orders over $150 USD & faster delivery *Some exclusions apply, for more details see: www.newark.com/help-delivery-information
YOU CAN FIND US AT…
Advanced Magnetics for ADAS
From high-current, high-efficiency power inductors to filter components for a variety of communications buses, Coilcraft has the magnetics for all of your Advanced Driver Assistance Systems Coilcraft offers a wide range of AEC-Q200 qualified products engineered for the latest advanced driver assistance systems, including high-temperature, high power density power inductors for radar, camera and LiDAR applications. Our compact, low-profile WA8351-AL ultrasonic sensor transformer offers excellent temperature stability up to 125°C and
high performance for time-of-flight (TOF) sensing. Also choose from our broad selection of common mode chokes and filter elements for a variety of communications buses. To learn more about our advanced solutions for ADAS and other automotive/ high-temp applications, visit us at www.coilcraft.com/AEC. ®
WWW.COILCRAFT.COM