A company operating worldwide as a full-service supplier of chassis, powertrain, and body in white products, is a partner to the world's biggest automobile manufacturers. It has recently expanded its portfolio to include electronic solutions. One of the first projects involved the development of an electronic parking brake.
This falls into the highest risk and safety category known as ASIL D. That's because if the brake ever malfunctioned or failed, it could be activated while a vehicle was traveling at top speed - with all the imaginable consequences. As such, it is subject to the highest safety standards, which also significantly influence the choice of components. This especially applies to the microcontroller.
What does ASIL mean?
The ISO 26262 standard details the path toward functionally safe electronic and electrical systems in vehicles. There are different categories of ASIL (Automotive Safety Integrity Level), depending on the level of functional safety.
Every potential danger is classified into a safety level ranging from QM (not relevant to safety) to ASIL A through to D. The classification is based on:
- The severity of the consequences
- The controllability of the malfunction
- The frequency of the situation
The standard recommends various measures for developing the systems, depending on the ASIL.]
Microcontrollers with safety features
Several manufacturers supply microcontrollers for safety-critical applications. Among the best in class is the AURIX™ family from Infineon. It is also designed to cope with the tough conditions in the automotive environment. The first generation is manufactured using 65nm technology; the second generation - the TC3xx™ series - is currently in the development phase.
The AURIX microcontrollers have been developed as a Safety Element out of Context (SEooC), which means that they can be integrated into an entire system with safety relevance. This is made possible by various internal safety features that are produced in the form of hardware, including:
- Dual CPU core in lockstep
- Clock monitoring
- Internal monitoring of the core voltage
- SRAM Error Code Correction (ECC)
- Flash ECC
- Built-in system test (BIST)
These functions are also tested by the SafeTLib self-test library.
Hardware security module for protection against manipulation
The AURIX microcontroller also features a hardware security module (HSM) that protects the control units' firmware from malicious manipulation. This is critical to the security of the entire system, because control units are generally networked and the firmware can be updated externally via interfaces. These interfaces can also be used for manipulation purposes if they are insufficiently protected. At the same time, the software is an integral part of the functional safety of the entire system. The HSM on the AURIX meets the requirements of the medium version of EVITA (E-safety Vehicle Intrusion proTected Applications); the second AURIX generation even complies with the requirements of the full version of EVITA.
However, a secure component still doesn't make a secure unit!
- Voltage regulator for supply voltages
- Window watchdog
- Function or Q/A watchdog for a monitoring module on level 3 of a multilayered monitoring concept. The Q/A watchdog includes a safe state controller whose outputs can switch safety circuits using external MOSFETs.
The AURIX/TLF35584 pairing is built into Infineon's KIT_AURIX_TC234 development kit so that customers are able to evaluate them.
Sample solution from the manufacturer
Infineon has already published one solution proposal with the key components for the kind of electronic parking brake developed in cooporation with Rutronik's Automotive Business Unit (see Figure 1). This includes:
- The AURIX microcontroller
- The Safety Companion IC
- Bus transceivers for CAN or LIN
- Half-bridge drivers for controlling the DC motor
- Hall sensors for identifying the status of the brake
- A MOSFET as reverse polarity protection at the power output stage
Support for all customers
32-bit microcontrollers like the AURIX are already highly complex in terms of their design and the way in which they work. When requirements such as a development process compliant with ISO 26262 or the design of a functionally safe entire system also have to be taken into consideration, this presents small and medium-sized companies in particular with big challenges if they lack the corresponding capacity. They receive hardly any support from most of the microcontroller manufacturers, because they tend to concentrate on projects for their major customers.
That is why Infineon has developed a concept that also provides support for these smaller companies: Preferred Design Houses (PDHs) offer all customers technical support for projects using AURIX. You can find a list of the PDHs at www.infineon.com/pdh.
And the project demonstrates that the distributor can also do considerably more than it is able to do in its classic role as a mediator between Tier 1 or Tier 2 suppliers and the component manufacturers. To this end, however, it must not only possess long-standing experience and comprehensive expertise on electronic components and technologies, but also be familiar with the special characteristics of the automobile market.
The Automotive Business Unit (ABU) at Rutronik has been working closely with service providers, EMS (Electronics Manufacturing Services), and select, leading semiconductor manufacturers for some years now. Its role here is not just that of the classic distributor, but a consulting partner above all else. When a company starts its own electronics development program the value of selecting the right engineering service provider and EMS can hardly be overestimated and a competent partner is also especially important.
Find your components at www.rutronik24.com.