Introduction

There’s a rising share of electronics in a automobile, starting from infotainment, physique and engine controls to superior driver-assistance modules. At this time, premier automobiles have as much as 70 MCUs (Microcontroller Management Items), interconnected by a number of system buses and change hundreds of alerts between themselves. To place that in enterprise perspective, analysts estimate autonomous chips annual income to develop from $11 billion (in 2019) to $29 billion in 2030, representing a income of $350 per automobile by 2030 [1]

The rising electronics in automobiles allows efficiency enhancement, higher security, safety together with different value-added options. With elevated complexity of electronics parts together with cameras, radars, sensors and many others, you will need to put ample emphasis on their reliability. A single malfunction of an digital element can result in a life-threatening scenario.

Semiconductor firms supplying the digital parts topic them to rigorous testing for any purposeful or manufacturing defects.

Machine testing is a well-established course of, that requires particular design exercise to be able to insert correct take a look at infrastructure within the die, with assist of devoted EDA software program. It Is categorized as Design for Take a look at (DFT) or extra typically as DFx, to incorporate different manufacturability, reliability and yield features. Nevertheless, automotive microcontroller unit (MCU) pose further challenges and constrains on the testing mechanism, in comparison with communication, networking or leisure domains.

On this article we offer an summary of those distinctive challenges and testing options deployed.

Automotive Testing Challenges Overview

1. Mission important software

Automotive unit is a life-sensitive software, each for folks inside in addition to exterior the automobile, thus there isn’t any room for an error. We are able to very effectively think about the influence, if the air baggage don’t get deployed on the proper time! The extent of acceptable defects is expressed by DPPM (Faulty Elements Per Million) and Automotive Security Integrity Ranges (ASIL) outlined beneath ISO 26262. Whereas for a client grade machine, a DPPM variety of ~300 could also be acceptable, for automotive it must be near zero !

Thus automotive MCU requires a really excessive test-coverage and it is not uncommon follow to check nearly all design nodes via structural stuck-at (SA) and transition delay(TD) checks. The necessities are barely relaxed for typical client grade units. It’s value mentioning right here that gaining simply the final 0.1% protection, takes important design efforts and a whopping variety of take a look at patterns, thus including to the take a look at time and take a look at value. Additionally, to be able to cowl all sorts of doable defects in automotive units, new fault fashions are repeatedly explored and added to the take a look at fits, eg, cell-aware, bridging and small-delay-defect checks.

Along with the manufacturing unit testing, the units are commonly screened for any defects which will have creeped-in through the working lifecycle. Crucial logic and recollections are fitted with a self-test functionality utilizing LBIST and MBIST respectively, that will get triggered at machine booting, shutdown or at common intervals. The outcomes are monitored by software software program and any problem will get raised as an acceptable alarm within the system.

Self-test, nonetheless, brings its personal design overheads when isolating the test-logic from exterior interferences to make sure that the performance just isn’t disturbed, prevention of unknown states (X-sources) to keep away from corruption of signatures and test-point utilization to extend the controllability and observability of the design.

Major goal of any self-test method is to detect in-field failures, therefore the execution time requirement for such methods might be very stringent. Any fault must be detected in a specified time known as DTI (Diagnostic Take a look at Interval) in any other case it could actually show to be catastrophic for the complete system. This makes self-test implementation like LBIST an uphill process. On account of random nature of Logic Constructed-In-Self-Take a look at (LBIST) engine, generated by on-chip PRPG (Psuedo Random Sample Generator), it’s typically very difficult to get the required fault protection within the allotted time. This calls for large take a look at level insertions within the design to enhance the controllability and observability for random resistant and onerous to detect faults. Whereas this step has been elective for regular ATPG testing, it’s an absolute important for LBIST. Testpoints are inserted for hard-to-detect faults, which often occur to be in logic with deep combo depths and therefore timing important paths, which pose its personal challenges through the backend implementation

Fig. 2 exhibits the rigorous train carried out to achieve the specified run occasions for LBIST in two important IPs for an ST automotive chip. IP1 is a posh design having very excessive combinational depths. A number of iterations with the CAD vendor to reinforce the take a look at level insertion algorithms resulted in reaching the required take a look at time and protection aim. Nevertheless, few designs like IP2 which achieved the take a look at time aim with enhanced take a look at level insertion stream, created adversarial impact on timing, as many management factors have been added on the important purposeful paths. Thus, offering self-test function in automotive chips might be very iterative and fascinating course of, with so many conflicting necessities for the DFT engineers.

2. Huge surroundings vary, -40 to +150C temp

A automobile is predicted to work seamlessly when driving from the snow-laden mountains proper into the scorching dessert or into the humid rain-forests. This places lots of stress when signing-off the machine throughout temperature extremes. The testing additionally must cowl these excessive nook circumstances but keep excessive production-yields. Automotive qualification contains testing the methods at places with excessive and opposed circumstances like Finland in Winter or Morocco in Summer time, and many others. to validate the working vary.

Automotive DFT structure is designed to deal with die-to-die and on-chip variance ensuing from manufacturing course of parameter variations, along with excessive temperature vary. The resultant influence to setup and maintain timings on design paths, throughout shift in addition to seize part of scan primarily based testing, are dealt with via devoted and strong design buildings. That is usually not a necessity for client grade merchandise the place the ambient temperature vary is roughly 0 to 85C.

The library characterization, analog fashions and design sign-off additionally have to cater to those elevated variations and extra margins. That is additional aggravated with machine growing old. As an illustration, Fig 3 depicts how delays get impacted as a consequence of variations throughout PVT (Course of, Voltage, Temperature) and ageing. Excessive left on the determine is the reference delay with regular (typical) parameters and subsequent curves present how the delays get skewed with altering parameters.

Machine qualification includes samples which can be particularly manufactured at totally different course of corners (known as matrix-lots) after which examined at each supply-temperature situation. Particular circuits, eg on-chip course of displays, are added on every unit to determine the machine conduct and to tune (or trim) regulators, oscillators and different important parts accordingly. The information is collected over massive variety of samples to determine any course of drift and to fine-tune the manufacturing, as wanted. Scan strategies and yield analyzers are leveraged closely to extract, diagnose and course of such knowledge.

3. Prolonged Lifetime – 15yrs

An MCU within the automobile is required to serve for total working lifetime of the automobile, usually 10-15yrs, while not having any service or alternative. Fig 4 exhibits typical failure charge change over time. The machine qualification must account for ageing, long-term reliability and early failure detection.

Each automotive unit is run via stress checks (BurnIN, HVST, VLV and many others), not like many client functions the place solely few pattern items are topic to emphasize checks. The aim of stress checks is to push any weak element to fail upfront, relatively than fail within the subject.

Among the ageing manifestations are NBTI (Damaging-bias temperature instability), Scorching Provider Injection (HCI) and Time-Dependent Dielectric Breakdown (TDDB) results [3]. These are usually screened via HTOL (Excessive Temp Working Life) stress and extra V_min/V_max margins throughout take a look at. For brevity sake, we’ll skip delving into the small print. Nevertheless, these checks additional push the design and take a look at limits. For instance, testing at V_min of 0.9V, whereas additionally accounting for tester-equipment uncertainties and on-chip volt-drop, the tip nodes of a path might finally get a voltage under the signoff V_min. Couple this with PVT parameters and we could also be headed at throwing some in any other case good units (yield influence). We usually add sign-off guard-bands and extra robustness on scan-structure, particularly on hold-sensitive shift-paths, to keep away from such losses.

Silicon Lifecycle Administration (SLM) is one other rising paradigm, to be able to keep the machine reliably accessible through-out the working lifecycle [4]. SLM leverages take a look at infrastructure, along with different sensors like in-situ displays, to detect and handle points whereas in-field. Presence of those further buildings provides to check overheads and require distinctive resolution at every layer. For instance, in-situ cells are custom-made to completely scan-test the monitoring websites, along with the purposeful nodes.

Pointless to re-iterate that almost all client functions are exempt from such rigorous checks.

4. Standby operation

Sure sensors and management domains stay powered-up through-out, even when the ignition is off.

These units draw energy from the battery within the automobile and therefore are required to maintain the facility consumption to reveal minimal. We would definitely be upset to see the battery all drained and unable to self-start, after parking the automobile for two-weeks within the storage!

Many automotive units, particularly physique functions, are designed with a number of power-domain islands; which typically have unbiased voltage ranges as effectively.

The take a look at structure is designed to deal with the isolation checks, power-controllers, standby operation and many others. A number of provides additionally want consideration throughout low-pin-contact testing.

Networking, server and gaming functions stay powered with an electrical energy supply, therefore  donot require such low-power designing.

5. Safety and security hardening of take a look at logic

Take a look at logic has been demonstrated as a useful gizmo to extract machine secrets and techniques by the adversaries. A automobile within the subject incorporates many secret keys and codes, from chip producer, OEMs, person in addition to 3^rd occasion distributors. Entry to those property imposes monetary losses in addition to threat on the roads (each for the person in addition to folks across the automobile), if misused. A tool might comprise delicate knowledge from the person, chip vendor in addition to 3^rd occasion resolution suppliers. Hacking or manipulating a rented automobile might put the subsequent person in danger or at ransom!

Structural logic, like scan chains, are proven as straightforward instruments to learn out machine secrets and techniques. Thus it’s important that take a look at logic is robustly disabled and can’t be used to launch an assault or learn any machine secrets and techniques [5], even beneath diagnostic or fail-return eventualities,

On the identical time, take a look at logic can be leveraged to determine any malicious logic or Trojans on the machine, inserted through the design or manufacturing course of.

Along with safety, take a look at alerts additionally should be security compliant. Any soft-error (SET/SUT) in take a look at logic can’t be allowed to influence the machine performance and put it into an undesirable state. Varied obfuscation methods in addition to redundancy logic (e.g Triple Module Redundancy) is positioned on the take a look at logic and enablement paths to cater to safety and security necessities.

6. Quantity economics

Automotive qualification and certification is an extended, rigorous and costly course of. So a tool, as soon as certified, is used for a number of years, earlier than being upgraded to a brand new model. Automobile producers would deploy a single certified product throughout a number of fashions for a few years. Automotive chip distributors have to maintain their design, fabrication and testing amenities for an extended interval for a single product. All amenities have to persistently carry out at identical parameters on which machine was certified, with none deviations, thus including to the upkeep prices.

This locations the automotive MCUs into high-volume, low-margin bracket in comparison with client markets. A lot in order that ‘Automotive grade’ units are typically referred as ‘military-spec merchandise at client costs’.

The ensuing income stress pushes larger multisite and low-cost-tester options, thus including additional complexity to the take a look at structure and execution.

Conclusion

We talked about a number of the distinctive wants and challenges confronted by automotive chips and related complexities whereas testing these units. Testing group has put particular structure and methods in place, and are continuously evolving, to be able to guarantee a secure, safe and dependable drive on the roads. It definitely impacts the machine and cycle-time prices, however as somebody mentioned – in case you discover testing costly, attempt with out it !

Authored Article by: Sandeep Jain & Shalini Pathak, STMicroelectronics