Search Results

Recently, vehicle networks have increased complexity due to the demand for autonomous driving or connected devices. This increasing complexity requires high bandwidth. As a result, vehicle manufacturers have begun using Ethernet-based communication for high-speed links. In order to deal with the heterogeneity of such networks where legacy automotive buses have to coexist with high-speed Ethernet links vehicle manufacturers introduced a vehicle gateway system. The system uses Ethernet as a backbone between domain controllers and CAN buses for communication between internal controllers. As a central point in the vehicle, the gateway is constantly exchanging vehicle data in a heterogeneous communication environment between the existing CAN and Ethernet networks. In an in-vehicle network context where the communications are strictly time-constrained, it is necessary to measure the delay for such routing task.

The recent improvements in automotive electronics have had a tremendous impact on safety, comfort and emissions. But the continuous increase of the volume of electronic equipment in cars (representing more than 25% of purchasing volume) as well as the increasing system complexity represent a new challenge to quality, post-sales customer support and maintenance. Identifying a fault in a complex network of ECUs, where the different functions are getting more and more intricate, is not an easy task. It can be shown that with the levels of reliability common in 1980, an upper-range automobile of today could never function fault-free. On-Board-Diagnostics (OBD) concepts are emerging to assist the maintenance personnel in localizing the source of a problem with high accuracy, reducing the vehicle repair time, repair costs and costs of warranty claims.

In defining innovative and cost-effective chip sets for future automotive applications, system architects need high-level tools that allow them to rapidly determine the best silicon partitioning for a given application in terms of system performance as well as cost. The tool needs to be flexible, modular, and swift such that the system designer can perform abstract simulation iterations quickly for various functional partitioning scenarios, without requiring excessive computer resources. The tool must also be portable and adaptable to provide a simulation environment suitable to systems- or car-manufacturers for in-depth applications simulation and architecture assessment. The semiconductor component definition process using such a “mission-level” design tool for the automotive application electronic valve will be demonstrated. Methods for the analysis of electronic valve control system architectures using mission-level simulation will be developed.

Driven by the growing internet and remote connectivity of automobiles, combined with the emerging trend to automated driving, the importance of security for automotive systems is massively increasing. Although cyber security is a common part of daily routines in the traditional IT domain, necessary security mechanisms are not yet widely applied in the vehicles. At first glance, this may not appear to be a problem as there are lots of solutions from other domains, which potentially could be re-used. But substantial differences compared to an automotive environment have to be taken into account, drastically reducing the possibilities for simple reuse. Our contribution is to address automotive electronics engineers who are confronted with security requirements. Therefore, it will firstly provide some basic knowledge about IT security and subsequently present a selection of automotive specific security use cases.

Integration scenarios for ECU software become more complicated, as more constraints with regards to timing, safety and security need to be considered. Multi-core microcontrollers offer even more hardware potential for integration scenarios. To tackle the complexity, more and more model based approaches are used. Understanding the interaction between the different software components, not only from a functional but also from a timing view, is a key success factor for high integration scenarios. In particular for multi-core systems, an amazing amount of timing data can be generated. Usually a multi-core system handles more software functionality than a single-core system. Furthermore, there may be timing interference on the multicore systems, due to the shared usage of buses, memory banks or other hardware resources.

The amount of electronics in vehicles is increasing, so is the amount of power electronics circuits, like inverters for electric motor drives or dc/dc converters. The muscles of these circuits are power transistors like MOSFETs and IGBTs - in each circuit are several of them. While MOSFETs and IGBTs have advanced over the years in terms of their performance, their wide product spectrum and feature spectrum as well as cost, they are still not unbreakable, but semiconductors which are more sensitive to electrical or thermal overstress than, a relay for instance. Especially electrical overstress, like overvoltage or over current, may damage a power transistor within a short time frame. Hence, electrical overstress must be avoided when designing the power electronics circuit. However, even a power transistor in a carefully designed power electronics circuit, may still be exposed to over current, short circuit, over voltage, over temperature and so forth.

This paper focuses on the requirements of electronic systems in automotive applications in terms of reliability and quality. As one of the most common devices in such applications for switching electronic loads, the power MOSFET, is investigated in detail. Today's qualification procedure for discrete devices according to AEC Q101 [1] will be explained and how this correlates to the stress of the device in the application. It will be pointed out what additional tests for “extended qualification” should be made to deal with critical failure modes reducing overly conservative safety margins and preventing excessive costs on the component side. The tests will be explained and the results presented.

Automotive powertrain and safety systems under design today are highly complex, incorporating more than one CPU core, running with more than 100 MHz and consisting of several 10 million transistors. Software complexity increases similarly making new methodologies and tools mandatory to manage the overall system. The use of accurate virtual prototypes improves the quality of systems with respect to system architecture design and software development. This approach is demonstrated with the example of the PCP/GPTA subsystem for Infineon's AUDO-NG powertrain controllers.

This paper will give an overview of multicore in automotive applications, covering the trends, benefits, challenges, and implementation scenarios. The automotive silicon industry has been building multicore and multiprocessor systems for a long time. The reasons for this choice have been: increased performance, safety redundancy, increased I/O & peripheral, access to multiple architectures (performance type e.g. DSP) and technologies. In the past, multiprocessors have been mainly considered as multi-die, multi-package with simple interconnection such as serial or parallel busses with possible shared memories. The new challenge is to implement a multicore, micro-processor that combines two or more independent processors into a single package, often a single integrated circuit (IC). The multicores allow a computing device to exhibit some form of thread-level parallelism (TLP).

In recent years, we see more and more ECUs integrating a huge number of application software components. This process mostly results from the increasing amount of so called in-house software in various fields like electric-drive, chassis and driver assistance systems. The software development for these systems is partially moved from the supplier to the car manufacturers. Another important trend is the introduction of new network architectures intending to meet the growing communication requirements. For such ECUs the software integration scenarios become more complicated, as more quality of service requirements with regards to timing, safety and security need to be considered [2]. Multi-core microcontrollers offer even more potential variants for integration scenarios. Understanding the interaction between the different software components, not only from a functional, but also from a timing view, is a key success factor for modern electronic systems [6,7,8,9].

This paper will describe different types of short circuit conditions, how they affect power semiconductor devices, and how to detect and safely mitigate the event.

The German funded project ARAMiS included work on several demonstrators one of which was a multicore approach on large scale software integration (LSSI) for the automotive domain. Here BMW and Audi intentionally implemented two different integration platforms to gain both experience and real life data on a Hypervisor based concept on one side as well as using only native AUTOSAR-based methods on the other side for later comparison. The idea was to obtain figures on the added overhead both for multicore as well as safety, based on practical work and close-to-production implementations. During implementation and evaluation on one hand there were a lot of valuable lessons learned about multicore in conjunction with safety. On the other hand valuable information was gathered to make it finally possible to set up a cost model for estimation of potential overhead generated by different integration approaches for safety related software functions.

This paper presents a reliability study of a directly cooled IGBT module after a test drive of 85,000 Km in a fuel cell electric vehicle, as well as of an indirectly cooled IGBT module after a test drive of 200,000km in a hybrid car on public roads. At the end of the test drive, the inverter units were disassembled and analyzed with regard to the lifetime consumption. First, electrical measurements were carried out and the results were compared with the ones obtained directly after module production (End of Line test). After that, ultrasonic microscopy was performed in order to investigate any delamination in the solder layers. As a third step, an optical inspection was performed to monitor damages in the housing, formation of cracks or degradation of wire bonds. The results show none of the depicted failure modes could be found on the tested power modules after the field test. Obviously, no significant life time consumption could be observed.

The current automotive electronic and electrical (EE) architecture has reached a scalability limit and in order to adapt to the new and upcoming requirements, novel automotive EE architectures are currently being investigated to support: a) an Ethernet backbone, b) consolidation of hardware capabilities leading to a centralized architecture from an existing distributed architecture, c) optimization of wiring to reduce cost, and d) adaptation of service-oriented software architectures. These requirements lead to the development of Zonal EE architectures as a possible solution that require appropriate adaptation of used security mechanisms and the corresponding utilized hardware trust anchors. 1 The current architecture approaches (ECU internal and in-vehicle networking) are being pushed to their limits, simultaneously, the current embedded security solutions also seem to reveal their limitations due to an increase in connectivity.

The standard ISO 26262 stipulates a “top-down” approach based on the process “V” model, by conducting a hazard analysis and risk assessment to determine the safety goals, and subsequently derives the safety requirements down to the appropriate element level. The specification of safety goals is targeted towards identified hazardous events, whereas the classification of safety requirements does not always turn out non-ambiguous. While requirement formalization turns out to be advantageous, the translation from natural language to semi-formal requirements, especially in context of ISO 26262, poses a problem. In this publication, a new approach for the formalization of safety requirements is introduced, targeting the demands of safety standard ISO 26262. Its part 8, clause 6 (“Specification and management of safety requirements”) has no dedicated work product to accomplish this challenging task.

Functional safe products conforming to the ISO 26262 standard are getting more important for automotive applications wherein electronic takes more and more response for safety relevant operations. Consequently safety mechanisms are needed and implemented in order to reach defined functional safety targets. To prove their effectiveness diagnostic coverage provides a measurable quantity. A straight forward safety mechanism for sensor systems can be established by redundant signal paths measuring the same physical quantity and subsequently performing an independent output difference-check that decides if the data can be transmitted or an error message shall be sent. This paper focuses on the diagnostic coverage figure calculation of such data correlation-checks for linear sensors which are also shown in ISO 26262 part5:2011 ANNEX D2.10.2.

The development of highly automated driving functions (AD) recently rises the demand for so called Fail-Operational systems for native driving functions like steering and braking of vehicles. Fail-Operational systems shall guarantee the availability of driving functions even in presence of failures. This can also mean a degradation of system performance or limiting a system’s remaining operating period. In either case, the goal is independency from a human driver as a permanently situation-aware safety fallback solution to provide a certain level of autonomy. In parallel, the connectivity of modern vehicles is increasing rapidly and especially in vehicles with highly automated functions, there is a high demand for connected functions, Infotainment (web conference, Internet, Shopping) and Entertainment (Streaming, Gaming) to entertain the passengers, who should no longer occupied with driving tasks.