In ever more new cars the EPS (Electric Power Steering) instead of the classical hydraulic power steering is being used. There are manifold reasons for this: lower energy- that is, less fuel consumption, easier installation in the vehicle, lower fault susceptibility, better adaptability to different car models and last but not least more driving comfort and safety through sophisticated control algorithms.
In case problems occur in the EPS-ECU, only very limited vehicle operation due to missing power steering assistance is possible. EPS system manufacturers are therefore working to encounter this problem through redundancies and thus be able to offer a fault-tolerant system, which can guarantee at least a minimum of safe operation.
Author: Björn Grothkast, Senior Engineer Chassis & Safety Marketing, Automotive Business Group, Renesas Electronics Europe, Düsseldorf
Maximum functional safety
The steering function in the automotive field is not only important for the life and safety of the driver but also of his co-passengers, other road users and even that of the non-involved passers-by. A sudden failure or a malfunction can quickly have catastrophic consequences.
It is therefore no surprise that in ESP systems ASIL D is derived from the ISO 26262 standard. Thus, in the ECU safety concept, the microcontroller is treated as the Safety Element out of Context (SEooC) and is also developed in accordance with ASIL D using the state of the art technology. The same safety standard of course has also to be applied to the software.
Meanwhile, in the automotive segment there is hardly any 32-bit microcontroller application which is not based on AUTOSAR architecture. Even though at first the AUTOSAR standard based architecture may appear to be very complex, this is the only way to realise an economically meaningful platform concept. Thanks to the harmonised system architecture it is for example – depending upon the project requirements – relatively easy to add-on or to remove features from the software. Also a large portion of the proven application software can be reused while migrating from one microcontroller generation to the next. A precondition for this approach though is a comparatively large program memory as well as up to 400 DMIPS computing power, which is associated with electrical power consumption of up to 1 Watt.
Car manufacturers as well as their sub-contractors are getting progressively aware of the fact that even EPS systems are exposed to the dangers like unauthorised replicas, modification of settings and functions as well as attempted frauds in terms of guarantee or warranty.
Currently available microcontrollers, developed for EPS systems do not offer any specifically protected memory area and no safe random number generator (TRNG).
When an error occurs, most of the present day EPS systems put the system into safe state in accordance with ISO 26262 by switching off any power steering support. Especially with relatively heavy vehicles of premium segment however, the driving situation in this case can quickly become very critical, for example, when power steering suddenly fails in a curve and the driver is not prepared for that.
Goals for the next EPS generation
EPS manufacturers are focussing their efforts now just on these points: more driving comfort and safety, lower current consumption, more protection against manipulation and replicas, and particularly important, continued operation as far as possible even in case of fault (fail operation).
In future EPS systems will also take over functions in conjunction with the comfort and safety field (like for example, lane assistant, crosswind compensation, parking assistant). For these tasks a large amount of sensor data is to be evaluated and processed.
Whereas in the previous EPS generations approximately 384 KB memory size for program code was sufficient, currently hardly any EPS systems requires less than 512 KB memory. Following this trend, for the next generation EPS systems, microcontrollers with considerably larger flash memory and a computing power up to 450 DMIPS are required.
Lower current consumption and higher computing power
In contrast to other systems where it is possible to switch between different current saving modes, for microcontrollers in the EPS field extreme low current consumption even in full operation mode is very important. The low heat dissipation of the microcontroller is not only supposed to facilitate new, cost-effective power supply concepts and thermal designs (like for example, plastic housing instead of the costly aluminium housing), but will also contribute towards reduction of CO2 emission of the car leading consequently to lower environmental taxes for the car manufacturer.
Additionally, for the forthcoming EPS generations the cryptographic protection of communication between the EPS-ECU and other ECUs, connected sensors and external diagnostic devices would be an important issue.
Also, it must be ensured that during updates in the workshops only the intended original software from the manufacturer can be loaded. EPS- and car manufacturer expect therefore not only hardware support for AES calculations but also that a non-deterministic random number generator for generating high quality random numbers is implemented. Cryptographic keys and certificates may of course only be stored in a special memory area which is protected against unauthorised reading and writing.
In ideal case, already the semiconductor manufacturer would provide each microcontroller with a unique, unalterable and software readable identifier. This would, for example allow identification of individual ECUs and explicitly enable functions only for it.
Operational safety goal (Fail Operation
)
For safety and comfort reasons, it would not be sufficient in near future that EPS systems simply switch themselves off in case a fault occurs. The car drivers and with that also the car manufacturers expect a reliable system instead, that is, a system in which at least the basic functionality is guaranteed even after the breakdown of a sub-system. Also the rapid development in the field of autonomous driving is a clear indication that reliable EPS systems would become indispensable in the coming years.
At system level, this can for example be achieved by deploying a 2 × 3-phases motor. Thus, even after total breakdown of one 3-phase system, up to 50% of power steering support would still be available in this way. This reduction in performance is noticeable in certain situations, still, it is sufficient though to keep the car under control and drive it safely to the workshop.
At the microcontroller level it means implementation of such a redundant system so that both 3-phase systems are synchronised very precisely with each other because even minor deviations in synchronisation would put burden on the mechanics resulting in unpleasant driving experience.
One possible solution: Renesas RH850/P1M
With the RH850/P1M microcontroller, already available in sample quantities, Renesas will offer EPS system developers the possibility to fulfil the aforementioned requirements of future EPS systems in the easiest possible manner.
Not only for EPS developers, the efforts required for a changeover from one microcontroller generation to the next is an important time and cost factor. For this reason, Renesas designed the RH850/P1M microcontroller with the goal of keeping maximum possible compatibility with its predecessor, the V850E2/Px4. Besides already implemented necessary functions in V850E2/Px4 generation for ASIL D systems like, for example, Lock-Step Dual Core (LSDC), Memory Protection Unit (MPU) and ECCs, many new functions have been added in RH850/P1M microcontrollers which are practically indispensable for the next EPS generation.
On top, new packages with only 0.4 mm instead of 0.5 mm pin pitch guarantee more compact ECU design with same functionality.
The enhanced 450 DMIPS computing power and up to 2 MB integrated program memory allows implementation of very sophisticated algorithms. The migration to the leading 40 nm technology in automotive segment ensures thereby that the performance increase is even supplemented with reduction in basic current consumption to less than 150 mA.
In the car manufacturer’s books, this reduction means approximately 75 euro cents less in taxes for the CO2 exhaust and with that lower cost under the bottom line.
To safeguard the ECU against manipulations and to secure the confidentiality and authenticity of messages exchanged with other ECUs, the RH850/P1M is equipped with an integrated Intelligent Cryptographic Unit (ICU-S). This SHE specification (refer: www.automotive-his.de) compatible hardware unit provides a specifically protected flash memory, local RAM, a hardware random number generator and an AES-engine.
The protected memory cannot be addressed directly by the CPU but is rather managed by the ICU-S. It is therefore ideally suited for example, as protected placement area for cryptographic keys and certificates. The built-in AES-engine supports 128-Bit key, optionally in ECB- or CBC-mode. Additionally, Renesas offers EPS manufacturers to provide all RH850/P1M microcontrollers with a fixed, worldwide unique and internally readable device-ID.
As it turns out, in the software field, a 100% ASIL D system is neither necessary, nor is it feasible and justifiable within a commercially meaningful framework. Consequently, meanwhile in the EPS field the software has bifurcated itself in safety-critical and non-safety-critical parts. A retroactive effect free interaction of all safety relevant modules is a must, so that the functional safety of the whole system can be guaranteed even in case of a malfunction (freedom of interference).
For the RH850/P1M, an ISO 26262 ASIL D capable MCAL is under development.
As in case of its predecessor V850E2/Px4, the RH850/P1M field of application will also not be limited just to the EPS systems. The RH850/P1M is suitable for many applications, which have high demands in terms of functional safety in common. These, besides the next generation EPS systems are for example transmission controls, locking systems, airbags as well as battery management and charging systems for hybrid and electric vehicles.
Summary & outlook
As described above, the requirements in terms of complexity of algorithms, functional safety, current consumption as well as manipulation and operational safety are increasing with every EPS generation.
Most of these requirements are clearly defined. For some others, such as the continuity of operations in case a fault occurs (fail operation), still different approaches are prevalent today and presumably the most eligible one of those would establish itself in the next few years.
Next generation microcontrollers which are already under development like for example, the RH850/P1M from Renesas will help EPS developers to fulfil the requirements of the future EPS systems.
Bibliography/references
Yasumasu, T.: The Safety Microcontroller for the Steering System, lecture at symposium “chassis.tech plus 2014”,
Munich, June 24 – 25, 2014.
Renesas Electronics Europe
www.renesas.com