There’s a rising share of electronics in a automobile, starting from infotainment, physique and engine controls to superior driver-assistance modules. Right now, premier vehicles have as much as 70 MCUs (Microcontroller Management Models), interconnected by a number of system buses and change hundreds of alerts between themselves. To place that in enterprise perspective, analysts estimate autonomous chips annual income to develop from $11 billion (in 2019) to $29 billion in 2030, representing a income of $350 per car by 2030 
The rising electronics in autos permits efficiency enhancement, higher security, safety together with different value-added options. With elevated complexity of electronics elements together with cameras, radars, sensors and many others, you will need to put adequate emphasis on their reliability. A single malfunction of an digital element can result in a life-threatening scenario.
Semiconductor corporations supplying the digital elements topic them to rigorous testing for any useful or manufacturing defects.
Machine testing is a well-established course of, that requires particular design exercise with the intention to insert correct check infrastructure within the die, with assist of devoted EDA software program. It Is categorized as Design for Take a look at (DFT) or extra typically as DFx, to incorporate different manufacturability, reliability and yield elements. Nevertheless, automotive microcontroller unit (MCU) pose extra challenges and constrains on the testing mechanism, in comparison with communication, networking or leisure domains.
On this article we offer an outline of those distinctive challenges and testing options deployed.
Automotive Testing Challenges Overview
- Mission vital software
Automotive unit is a life-sensitive software, each for folks inside in addition to exterior the car, thus there isn’t any room for an error. We are able to very effectively think about the influence, if the air luggage don’t get deployed on the proper time! The extent of acceptable defects is expressed by DPPM (Faulty Elements Per Million) and Automotive Security Integrity Ranges (ASIL) outlined beneath ISO 26262. Whereas for a client grade gadget, a DPPM variety of ~300 could also be acceptable, for automotive it needs to be near zero !
Thus automotive MCU requires a really excessive test-coverage and it’s common follow to check virtually all design nodes by way of structural stuck-at (SA) and transition delay(TD) assessments. The necessities are barely relaxed for typical client grade gadgets. It’s price mentioning right here that gaining simply the final 0.1% protection, takes vital design efforts and a whopping variety of check patterns, thus including to the check time and check value. Additionally, with the intention to cowl all forms of attainable defects in automotive gadgets, new fault fashions are repeatedly explored and added to the check fits, eg, cell-aware, bridging and small-delay-defect assessments.
Along with the manufacturing facility testing, the gadgets are usually screened for any defects which will have creeped-in through the working lifecycle. Crucial logic and reminiscences are fitted with a self-test functionality utilizing LBIST and MBIST respectively, that will get triggered at gadget booting, shutdown or at common intervals. The outcomes are monitored by software software program and any problem will get raised as an acceptable alarm within the system.
Self-test, nevertheless, brings its personal design overheads when isolating the test-logic from exterior interferences to make sure that the performance will not be disturbed, prevention of unknown states (X-sources) to keep away from corruption of signatures and test-point utilization to extend the controllability and observability of the design.
Major intention of any self-test approach is to detect in-field failures, therefore the execution time requirement for such strategies could be very stringent. Any fault needs to be detected in a specified time referred to as DTI (Diagnostic Take a look at Interval) in any other case it may show to be catastrophic for the whole system. This makes self-test implementation like LBIST an uphill job. As a consequence of random nature of Logic Constructed-In-Self-Take a look at (LBIST) engine, generated by on-chip PRPG (Psuedo Random Sample Generator), it’s typically very difficult to get the required fault protection within the allotted time. This calls for enormous check level insertions within the design to enhance the controllability and observability for random resistant and laborious to detect faults. Whereas this step has been non-obligatory for regular ATPG testing, it’s an absolute important for LBIST. Testpoints are inserted for hard-to-detect faults, which normally occur to be in logic with deep combo depths and therefore timing vital paths, which pose its personal challenges through the backend implementation
Fig. 2 exhibits the rigorous train accomplished to achieve the specified run instances for LBIST in two vital IPs for an ST automotive chip. IP1 is a fancy design having very excessive combinational depths. A number of iterations with the CAD vendor to reinforce the check level insertion algorithms resulted in attaining the required check time and protection purpose. Nevertheless, few designs like IP2 which achieved the check time purpose with enhanced check level insertion stream, created adversarial impact on timing, as many management factors have been added on the vital useful paths. Thus, offering self-test function in automotive chips could be very iterative and interesting course of, with so many conflicting necessities for the DFT engineers.
- Broad atmosphere vary, -40 to +150C temp
A automobile is predicted to work seamlessly when driving from the snow-laden mountains proper into the scorching dessert or into the humid rain-forests. This places loads of strain when signing-off the gadget throughout temperature extremes. The testing additionally must cowl these excessive nook circumstances but keep excessive production-yields. Automotive qualification contains testing the programs at areas with excessive and opposed circumstances like Finland in Winter or Morocco in Summer season, and many others. to validate the working vary.
Automotive DFT structure is designed to deal with die-to-die and on-chip variance ensuing from manufacturing course of parameter variations, along with excessive temperature vary. The resultant influence to setup and maintain timings on design paths, throughout shift in addition to seize part of scan based mostly testing, are dealt with by way of devoted and strong design constructions. That is usually not a necessity for client grade merchandise the place the ambient temperature vary is roughly 0 to 85C.
The library characterization, analog fashions and design sign-off additionally have to cater to those elevated variations and extra margins. That is additional aggravated with gadget getting old. As an illustration, Fig 3 depicts how delays get impacted as a consequence of variations throughout PVT (Course of, Voltage, Temperature) and ageing. Excessive left on the determine is the reference delay with regular (typical) parameters and subsequent curves present how the delays get skewed with altering parameters.
Machine qualification includes samples which are particularly manufactured at totally different course of corners (referred to as matrix-lots) after which examined at each supply-temperature situation. Particular circuits, eg on-chip course of displays, are added on every unit to establish the gadget conduct and to tune (or trim) regulators, oscillators and different vital elements accordingly. The info is collected over massive variety of samples to establish any course of drift and to fine-tune the manufacturing, as wanted. Scan strategies and yield analyzers are leveraged closely to extract, diagnose and course of such knowledge.
- Prolonged Lifetime – 15yrs
An MCU within the automobile is required to serve for complete working lifetime of the automobile, usually 10-15yrs, while not having any service or alternative. Fig 4 exhibits typical failure charge change over time. The gadget qualification must account for ageing, long-term reliability and early failure detection.
Each automotive unit is run by way of stress assessments (BurnIN, HVST, VLV and many others), not like many client purposes the place solely few pattern items are topic to emphasize assessments. The purpose of stress assessments is to push any weak element to fail upfront, moderately than fail within the area.
Among the ageing manifestations are NBTI (Unfavorable-bias temperature instability), Scorching Service Injection (HCI) and Time-Dependent Dielectric Breakdown (TDDB) results . These are usually screened by way of HTOL (Excessive Temp Working Life) stress and extra Vmin/Vmax margins throughout check. For brevity sake, we are going to skip delving into the main points. Nevertheless, these assessments additional push the design and check limits. For instance, testing at Vmin of 0.9V, whereas additionally accounting for tester-equipment uncertainties and on-chip volt-drop, the tip nodes of a path might finally get a voltage under the signoff Vmin. Couple this with PVT parameters and we could also be headed at throwing some in any other case good gadgets (yield influence). We usually add sign-off guard-bands and extra robustness on scan-structure, particularly on hold-sensitive shift-paths, to keep away from such losses.
Silicon Lifecycle Administration (SLM) is one other rising paradigm, with the intention to keep the gadget reliably out there through-out the working lifecycle . SLM leverages check infrastructure, along with different sensors like in-situ displays, to detect and handle points whereas in-field. Presence of those extra constructions provides to check overheads and require distinctive answer at every layer. For instance, in-situ cells are personalized to completely scan-test the monitoring websites, along with the useful nodes.
Pointless to re-iterate that the majority client purposes are exempt from such rigorous assessments.
- Standby operation
Sure sensors and management domains stay powered-up through-out, even when the ignition is off.
These gadgets draw energy from the battery within the automobile and therefore are required to maintain the ability consumption to reveal minimal. We will surely be upset to see the battery all drained and unable to self-start, after parking the automobile for two-weeks within the storage!
Many automotive gadgets, particularly physique purposes, are designed with a number of power-domain islands; which typically have impartial voltage ranges as effectively.
The check structure is designed to deal with the isolation assessments, power-controllers, standby operation and many others. A number of provides additionally want consideration throughout low-pin-contact testing.
Networking, server and gaming purposes stay powered with an electrical energy supply, therefore donot require such low-power designing.
- Safety and security hardening of check logic
Take a look at logic has been demonstrated as a useful gizmo to extract gadget secrets and techniques by the adversaries. A automobile within the area accommodates many secret keys and codes, from chip producer, OEMs, person in addition to 3rd celebration distributors. Entry to those property imposes monetary losses in addition to threat on the roads (each for the person in addition to folks across the automobile), if misused. A tool might include delicate knowledge from the person, chip vendor in addition to 3rd celebration answer suppliers. Hacking or manipulating a rented automobile might put the subsequent person in danger or at ransom!
Structural logic, like scan chains, are proven as simple instruments to learn out gadget secrets and techniques. Thus it’s important that check logic is robustly disabled and can’t be used to launch an assault or learn any gadget secrets and techniques , even beneath diagnostic or fail-return eventualities,
On the identical time, check logic can be leveraged to establish any malicious logic or Trojans on the gadget, inserted through the design or manufacturing course of.
Along with safety, check alerts additionally have to be security compliant. Any soft-error (SET/SUT) in check logic can’t be allowed to influence the gadget performance and put it into an undesirable state. Varied obfuscation strategies in addition to redundancy logic (e.g Triple Module Redundancy) is positioned on the check logic and enablement paths to cater to safety and security necessities.
- Quantity economics
Automotive qualification and certification is an extended, rigorous and costly course of. So a tool, as soon as certified, is used for a number of years, earlier than being upgraded to a brand new model. Automotive producers would deploy a single certified product throughout a number of fashions for a few years. Automotive chip distributors have to maintain their design, fabrication and testing services for an extended interval for a single product. All services have to constantly carry out at identical parameters on which gadget was certified, with none deviations, thus including to the upkeep prices.
This locations the automotive MCUs into high-volume, low-margin bracket in comparison with client markets. A lot in order that ‘Automotive grade’ gadgets are typically referred as ‘military-spec merchandise at client costs’.
The ensuing income strain pushes larger multisite and low-cost-tester options, thus including additional complexity to the check structure and execution.
We talked about a number of the distinctive wants and challenges confronted by automotive chips and related complexities whereas testing these gadgets. Testing group has put particular structure and strategies in place, and are continuously evolving, with the intention to guarantee a secure, safe and dependable drive on the roads. It definitely impacts the gadget and cycle-time prices, however as somebody mentioned – when you discover testing costly, strive with out it !
Authored Article by: Sandeep Jain & Shalini Pathak, STMicroelectronics