Automotive FPGAs—Reliable performance in engine control unit operations[Copy link]
Traditionally, automotive electronics engineers have used MCUs, custom ASICs, and bulky wiring harnesses to introduce and control electronic systems and expand functionality as vehicles evolve. However, as these solutions are pushed to their technological and application limits, the automotive industry is facing new design challenges. As a result, many designers are turning to FPGAs to solve problems including easing pressure to bring products to market faster; increasing component counts; standardization on a single hardware platform; and escalating safety requirements. Accustomed to long product and development cycles in the past, many automakers are now working to equip the next generation of cars with the electronic consumers demand in a shorter time. Devices such as GPS navigation systems and DVD players have relatively short lifespans, so time to market is critical. Unlike traditional automotive applications, these entertainment and telematics systems are characterized by medium-scale production and time-to-market pressures similar to those in the consumer market. Today, using ASICs can add 30 weeks to the development cycle, and the cost of ASIC masks has risen sharply, further increasing the cost and risk of the device. At the same time, because today's cars introduce many standards and technologies, the application of ASICs lacks inherent flexibility, increasing the risk of their obsolescence and delayed application. Consumers also demand a wide range of functional options, which requires automakers to configure based on a set of components. To quickly implement these highly integrated and ever-changing systems, FPGAs that can be quickly launched on the market provide automakers with the flexibility they need to upgrade system hardware in the field without expensive rework and component replacement. Therefore, FPGAs are now used in automotive electronics, ranging from design verification to manufacturing and service. Finally, as space in the car is very precious, the ability of programmable logic to integrate many different functions on a small single-chip solution is also very attractive. Today's automotive electronics also require high-volume manufacturing (at low cost) and high reliability in harsh environments, in addition to considering design safety issues in this rapidly developing and competitive market. Technical decision makers who evaluate FPGA devices therefore need to understand the reliability and safety characteristics of the devices under consideration. FPGA failures can be caused by many mechanical reasons. Among them, some problems such as ESD exposure and other packaging and assembly are inherent to semiconductor devices; others, such as dielectric material breakdown over time or susceptibility to subatomic particle collisions, are becoming increasingly important as process geometries shrink. All of these issues are impacted by the traditional enemy of electronic component reliability – temperature stress. Automotive electronics designers can significantly improve their ability to withstand many types of failures by using FPGA technology with an extended temperature range. While many component suppliers use preventative design techniques and limited methods to simulate and emulate environmental stresses, certain FPGA architectures are inherently better at withstanding extended temperature exposure. For example, Actel’s antifuse-based automotive devices can withstand the industry’s highest junction temperature (+150C), giving designers greater performance margins in high-reliability systems. The ability to operate at high temperatures is not only beneficial for failure resistance, automotive applications do not have the space and cost to add fans and heat sinks, so devices must be able to provide the required performance without external heat sinks. Extreme environments often lead to failure modes related to the FPGA assembly and packaging, rather than the device itself. Therefore, it is important to reserve specification margins at all levels of the automotive electronic system. FPGA suppliers such as Xilinx and Actel offer products with a wide military temperature range, which can better handle the coefficient of thermal expansion and avoid the effects of thermal stress. Even when operating at normal temperature and voltage, repeated voltage stress on the gate oxide of an FPGA will eventually cause the dielectric insulation layer within the device to break down. This breakdown phenomenon, which accumulates over time, is called "time-dependent dielectric breakdown" (TDDB). Coupled with the use of deep submicron technology, the risk of this type of failure occurring in the field increases. The problem is that new processes are evaluated using high-voltage stress tests. These tests are effective in obtaining statistical predictions of oxide film life and detecting important manufacturing and process difficulties, but have little effect on modeling and predicting early failures in products, especially for sporadic failures. Early breakdown can cause serious failure consequences very soon after the device is put into use (see Figure 1), which may involve important issues in automotive system safety and warranty liability.
Figure 1 TDDB evaluation results of 4.2nm oxide film under constant voltage conditions (note the sporadic failures in the early breakdown area) Finding and eliminating the causes of these early breakdown failures is a major challenge. Testing and verification from TDDB data can derive the true breakdown life limit of the oxide film, but these data are not reliable in determining the life of individual device products. Even if semiconductor suppliers have ways to find or eliminate early failures, there is increasing speculation that the true life cycle of 90nm devices may not be sufficient to meet the requirements of many commercial applications. If these theories are correct, automotive product designers may have no choice but to use devices with more reliable geometry and process, and be forced to give up the marginal benefits of new generation processes in order to improve reliability. After understanding the main physical failure risks of automotive electronics, it may seem strange to turn to the discussion of safety and anti-tampering issues in this article. However, any discussion of factors affecting the reliability of automotive systems is incomplete if it does not consider the impact of human intervention (intentional or unintentional). It is important to recognize that the establishment of automotive safety and reliability starts at the component level. For example, if hackers can penetrate an FPGA-based satellite radio receiver and subvert the user's authentication mechanism, some unscrupulous users can access the service for free. Once the security mechanism of the system is broken, the relevant technology can be easily distributed to the public. You can easily find various consoles for hacking paid services by simply visiting websites such as eBay. From the perspective of the automaker, the high-risk situation may involve the anti-theft or security system of the car. Perhaps more dangerous is the increasing number of people trying to "tune" the car product to improve performance, which often violates regional or national safety and environmental standards. This illegal modification activity is provided through many channels and is often difficult to control and combat. Many tuners recalibrate the general settings of various on-board system components and modify fuel delivery, electronic ignition timing and other control functions to enhance performance. Of course, these changes may cause the car to be driven in violation of the manufacturer's technical specifications and warranty, but smart tuners provide the option to restore all modifications to make damaged and overused cars meet the manufacturer's warranty terms in the hope of obtaining legal compensation. To reduce these security issues, you should start with the selection of technology. Industry experts generally agree that antifuses are the most secure programmable architecture available, because it is extremely difficult to clearly read the state of an antifuse-based device. For example, Actel's 2 million gate antifuse FPGA contains about 53 million antifuses, of which only 2-5% are programmed in a typical design. Therefore, the chances of successfully reading the contents of a design, let alone changing the programmed state, are extremely small. Generally speaking, flash-based devices are also secure; since no physical changes occur at the semiconductor level of flash, it is impossible to know the state of the device through illegal probing. Some vendors even use schemes such as access keys to further enhance protection. Actel's new ProASICPLUS series uses keys ranging from 79 to 263 bits in length. Once protected with a key, the contents cannot be read unless the device is unlocked. In contrast, SRAM-based devices require an external configuration device (usually an onboard PROM) to send a configuration bit stream to the SRAM device at power-up. But this bit stream can be easily intercepted by hackers to copy or directly read its contents. Life Racing Racing Applications Among the many areas of automotive electronic system development, racing has always been a place where FPGAs have been showing their strengths. One area where FPGAs can help improve flexibility, performance and reliability is in the automotive engine control unit (ECU). Major racing companies, such as Life Racing, the electronic design division of Advanced Engine Research Ltd (AER), have begun to incorporate Actel's flash-based ProASIC Plus FPGA devices in their ECU designs. Competition racing ECUs require complex tuning algorithms optimized for each independent controller to manage the timing functions of the engine. Using the traditional solution of standard timing processing unit (TPU) controllers, this critical software requires significant modifications as application requirements change. However, with the in-system reprogrammability (ISP) function of flash-based FPGAs, designers can replace off-the-shelf TPU controllers with single-chip power-on FPGA devices, thereby shortening software development time, reducing debugging requirements and accelerating overall time to market.
In an ECU, the main function of an FPGA is typically to extract engine position information from the crankshaft trolley signal. The FPGA generates CPU interrupt signals based on the abstract crankshaft angle, rather than the trolley tooth position used in traditional designs, thereby increasing flexibility and accuracy. ECUs typically program fuel addition and ignition actions as timed scheduled events, based on the engine operating conditions at the time the scheduling code is executed. Changing the engine operating state before the event occurs can cause angle errors, and the scheduling code is often closely related to the current engine crankshaft trolley tooth pattern. FPGAs can make the scheduling code independent of the signal pattern and can monitor the engine operating conditions to schedule events and make continuous adjustments until the event occurs. This can increase code efficiency and flexibility while improving control accuracy under dynamic conditions. In addition, the power-on run function of Flash-based FPGAs - such as Actel's ProASIC Plus - can help designers eliminate the additional components that are traditionally needed to prevent the fuel injection driver or ignition coil driver from starting during power-up. Life Racing's proprietary ECU design, the F88, was successfully used in the first round of the 2003 Superfund World Series - an important stepping stone to Formula 1.
Currently, Life Racing's ECU is also being considered by manufacturers of commercial road vehicles. This control unit is highly flexible and is best suited for prototyping and development environments, where it can cope with a wide range of engine settings. A final and growing risk for automotive semiconductor manufacturers is software and firmware errors caused by high-energy neutrons. The trend toward deep submicron geometries is exacerbating the problem. When neutrons bombard an integrated circuit, most pass straight through, but occasionally a neutron disturbs a silicon atom or a dopant atom, changing the state of a memory cell or flip-flop. If the memory cell stores the configuration information for the FPGA, it may cause internal contention in the device or a connected device, resulting in excessive current and damage to the device or system. In this way, soft errors become "firmware" errors and eventually "hardware" errors. At the very least, the FPGA programming changes, and the result may be a functional failure. This problem has already led manufacturers of telecommunications networks and other high-availability systems to set new component requirements to mandate immunity to soft errors. Research in this area is still ongoing. However, preliminary investigations indicate that Flash and antifuse-based FPGAs are immune to such errors, while SRAM-based devices face more severe problems. FPGAs are gaining widespread acceptance and are being used in the design of next-generation automotive electronics. By gaining a deeper understanding of the unique capabilities of various technologies during the FPGA selection process, automotive designers can benefit from the most promising technologies without compromising the industry's reputation for building highly reliable and cost-effective vehicles.
600)this.width=600" border=0>
600)this.width=600" border=0>
600)this.width=600" border=0>
提升卡
变色卡
千斤顶
京公网安备 11010802033920号
