Special Requirements of Automotive Signal Processing
Twenty years ago, automobiles had very few electronic features. Today, nearly every vehicle relies on thousands of electronic components. Although annual growth in worldwide vehicle sales is relatively slow (roughly 3%), there is explosive growth in automotive electronics applications. By 2010, it is estimated that nearly 40% of a vehicle's total value will be attributed to its electronics (see Figure 1) and much of the electronics will be used for some form of signal processing.
The latest automobiles use a myriad of processors that implement signal-processing applications ranging from entertainment to safety-critical drive-by-wire systems. (For more on automotive signal processing application trends, see Signal Processing Hits the Road.) Automotive applications differ from those used in other types of signal-processing products, such as consumer electronics and telecommunications equipment, in important ways. In this article, we explore these distinguishing characteristics—reliability requirements, long product life cycles, and safety concerns—and their implications for the industry.
Reliability Requirements
A recent Consumer Reports article suggested that many reliability problems associated with current high-end cars from BMW, Mercedes, and others are due to the large number of complex electronic features in these vehicles and the increasing shift towards electronic control of mechanical systems. Indeed, there have been many recent high-profile examples of electronic system failures, such as an electronic transmission controller defect in some Jaguar models that prompted a recall of nearly 68,000 vehicles. This defect introduced the possibility of the electronic transmission controller inadvertently shifting into reverse if a major loss of transmission oil pressure was detected.
Reliability problems, whether as minor as a dashboard LED that doesn't work or as major as a malfunction of an anti-lock brake controller, can have a significant impact on consumer satisfaction and product safety. Even the most reliable vehicles have about a 10% chance of developing a problem within the first year, according to the 2003 Consumer Reports reliability survey. And according to the survey, electrical systems are one of the single largest contributors to problems in vehicles.
Naturally, auto manufacturers have a strong interest in maximizing reliability, and they place stringent reliability requirements on their suppliers. Electronic components are expected to operate reliably for the lifetime of the car—often fifteen years or more.
First and foremost, automakers specify a maximum acceptable initial defect rate for each component. This defect rate varies by application and component type, but is usually below 10 parts per million for semiconductors. In order to achieve such low defect rates, semiconductor manufacturers must focus on reliability in all aspects of their processes, from initial design to final product testing.
To create a reliable automotive-qualified component, designers must consider the harsh environment associated with automotive applications, such as wide temperature ranges and significant vibration. As illustrated in Table 1, automotive-grade chips must usually be able to withstand temperatures ranging from -40C to well over +125C. As a result, most high-speed chip fabrication processes and high-speed transistor libraries cannot be used because they will not operate at such extreme temperatures. Instead, very conservative fabrication technologies and transistor designs are usually employed. The resulting chips are, of course, slower than similar parts used for non-automotive applications.
Vibration requirements prevent the use of certain packaging technologies—such as stacked dies (two chips placed on top of each other in the same package)—because their reliability cannot be guaranteed if there is significant vibration.
Automotive semiconductors must also employ redundancy so that extraordinary events, such as random bit errors due to alpha particle radiation, do not result in critical system failures.
The Automotive Electronics Council (AEC) standardizes reliability and testing procedures for semiconductors and other components used by General Motors, Ford, and DaimlerChrysler. One such qualification procedure is AEC-Q100, which specifies stress-test requirements for integrated circuits. In order to be AEC-Q100 qualified, an integrated circuit must pass tests covering operating temperature requirements, electromagnetic compatibility requirements, early life failure rates, and write/erase endurance tests (if the part includes non-volatile memory). The tests even include wire-bond shear tests that determine the strength of the interface between the die and the package surface. The qualification procedure spells out how each test should be performed.
Software Reliability and Testing
Of course, a processor-based system is only as reliable as the software it runs. The software found in critical automotive systems is different from other types of software in several respects. For example, unlike typical software written for desktop PCs, automotive software is often responsible for systems that affect passenger safety. It’s not acceptable for vehicle manufacturers to simply issue a software “patch” for millions of cars as problems are discovered—cars must be safe and reliable right from the start. The number of software bugs tends to grow dramatically with increasing code size, which naturally occurs as more features are added. As an indicator of the software complexity and verification problem facing automobile makers, Figure 2 shows the typical number of microcontrollers found in low-end, mid-range, and luxury vehicles. Many of these components interact with each other, significantly complicating the software testing process
The importance of reliability demands significant discipline in the software design and review process in order to make verification tractable. Software architects must be able to build an accurate model of the system in order to help ensure that it will behave properly in a wide variety of scenarios.
A model attempts to describe the mathematical, functional, or behavioral properties of a system so that its performance in a variety of scenarios can be evaluated. It is an essential tool in developing and testing automotive systems, but it is not perfect. Even if the model is extremely accurate, it is impossible to exhaustively test every scenario that the system might encounter. Some scenarios are simply too unusual to be predicted, and some cannot be detected by the sensors.
Once a model has been developed, a computer-based simulator is often created to verify the model. Such simulators must be very fast because, typically, many tests must be performed. Due to the complexity of models and the safety-critical nature of automotive applications, the development process for automotive software places extreme demands on the quality and richness of development tools.
Long Product Life Cycles
An automaker needs to be sure that parts will available for the lifetime of a given model. It can take as long as five years to develop a new car, and the car might be in production for five to ten years. This product life cycle is much longer than for other chip markets such as consumer electronics and PCs. As a result, when a semiconductor manufacturer sells chips to an automaker, the manufacturer must typically commit to producing the part for 15 years or more. The semiconductor manufacturer must also provide pricing projections for many years into the future. And automakers need to know that the associated software development tools will be supported for the lifetime of their product.From the point of view of the semiconductor vendor, these long life cycles complicate the production of automotive-grade parts. For example, automotive IC manufacturers typically do not upgrade the fabrication process used to produce an automotive-grade IC. In order to upgrade to a new fabrication process, the IC would have to be re-certified, a potentially long and complicated process. As a result, automotive IC manufacturers must maintain facilities that use much older fabrication processes even if the rest of their business uses the latest fabrication processes.
Safety and Liability Concerns
Product safety is a critical aspect of vehicle design. An automobile has several safety-critical systems, and these systems are increasingly electronically controlled. In order to increase the safety of these systems, redundancy is often employed at multiple levels. For example, an antilock braking system often has two separate processors running the same software in parallel. In order to activate the antilock brakes, the two processors must agree on the sensor input data and on the desired action. This “agreement principle” is applied in many safety-critical control systems.For obvious reasons, liability is also a key concern for automakers. This is particularly true in the United States, which has very high litigation rates. The issue is so worrisome that some automakers prefer to deploy new systems in Europe and Japan first. Automakers are under pressure to document every action and decision. They must be able to trace where every part comes from—down to the batch in which it was produced—so that they can track down quality issues and identify which cars on the road might be affected. This increases costs not just for the automakers, but for the chip makers as well.
Add new comment