Vitor Ribeiro, Senior Product Marketing Engineer, Automotive & Embedded Business Unit at Fujitsu Semiconductor Europe explores the design virtues of a new 32-bit MCU, that demonstrates the versatility of modern MCU technology and how this is leveraging control capability in applications ranging from smart junction boxes and central controllers to control panels
Car manufacturers and their suppliers have had to contend with the diversity of electronic systems for many years now. Platform-based thinking has opened up significant potential for savings in not only production but also development, quality assurance, logistics and service.
Of course, this is not without impact on the supply chain, and in particular, on manufacturers of electronic circuits.
As central elements in many designs, microcontrollers (MCUs) often control complex systems. For a long time, they were developed and equipped with application-specific functions. Today, however, the trend is towards covering entire platforms with as few derivatives as possible, so scalability, performance and versatility are key to the success of an MCU range.
As diverse as the potential in-car applications may be, the MCU’s tasks are nearly always the same: capture and process digital and analogue signals and trigger switching operations.
Operating systems (e.g. AUTOSAR) and extensive communication via automotive networks and interfaces (such as CAN, LIN and FlexRay) place additional demands on MCUs.
Modern MCUs are deployed in a wide range of applications such as smart junction boxes, central body controllers, control panels, air conditioning control units as well as controllers for the door/tailgate and interior/exterior lights for all vehicles.
In response to these application needs Fujitsu Semiconductor Europe has developed a new 32-bit MCU (the MB91F526L – shown in figure 1) as part of its MB91520 series.
The devices run at a clock speed of 80MHz/0WS using a high-performance FR81S CPU core. The integrated floating point unit (FPU) allows complex algorithms with floating point values, without the need for converting to integers.
Load switching might sound like a straightforward-enough task, but it can – depending on the features of the MCU used – be a complex process.
Figure 2 shows a generic circuit comprising one MCU, one intelligent power driver with current sense feedback and a generic load (e.g. a lamp, valve or LED). Most systems require all the switched loads to be monitored so that malfunctions can be identified and troubleshot.
Reliable load switching
The current-sense feedback is a voltage or current proportional to the load current and connected to an analogue-digital converter. This scenario is a straightforward task for most body MCUs in use today.
But what if more than one lamp is to be switched and monitored? And what if the brightness needs to be controlled? The simple ‘switch lamp/ load’ task often leads to the following additional requirements:
• Multiple lamps are to be switched and their brightness controlled
• Each lamp is to be operated by means of an intelligent switch with an analogue diagnostics output
• Each lamp is to be reliably monitored and failures like short-circuits, a defective lamp or cable breakage must be detected
• Non-transient short-circuits are to be distinguished from temporary current peaks (e.g. inrush current of the cold lamp)
• To prevent current peaks in the on-board electrical system, loads or load groups are not to be switched on/off simultaneously
Any of these can increase the complexity, and solving the task makes a range of demands on the MCU’s resources.
The brightness is controlled by a PPG (programmable pulse generator), which generates a PWM signal.
The period of oscillation and pulse width of each of the available 48 PPGs can be programmed. The diagnostics signal, which is fed back from the intelligent power switch, is read via one of the 48 A/D converter inputs.
To identify faults during the switching process, A/D conversion must be synchronised with the PPG signal (Figure 3). Otherwise no reliable distinction could be made between a short-circuit and an inrush current.
The MB91520 series not only allows synchronised A/D conversion but also an A/D conversion delay to be programmed (the ADC Chx-trigger delay is shown in Figure 3).
This ensures that inrush currents and transitioning effects of the current-sense circuit in the intelligent switch can be ‘suppressed’ and do not have any impact on the diagnostics functionality. If multiple PPGs are used for switching loads, undesirable current peaks would occur in the board electrical system. A variable ‘start delay’ ensures that the PPG channels are not switched simultaneously.
At the end of conversion, the A/D converter usually triggers an interrupt so that the converted value can be saved by the CPU or, if available, by means of DMA. It’s easy to see that a high interrupt load can occur when multiple A/D converter channels are used. Each converted value must be checked by the CPU in order to trigger an action if the value is not as expected. When no fault is present, the converted values are within the required range and it would make sense to avoid ‘unnecessary’ interrupts for checking ‘correct’ values.
The series offers a useful feature here too, because the conversion results can be routed to one of four digital range comparators, where a check is carried out to determine if the input signal is inside a pre-defined value range. Two registers define the minimum and maximum values of each range comparator and an interrupt is only generated if these values are exceeded (Figure 4) or alternatively, if the converted signal moves into the defined value range.
The combination of PPG, A/D converter and range comparator allows load switching and diagnosis of similar loads in a simple and straightforward manner without interaction of the CPU.
Designers always face the challenge of fitting the required functionality into the most compact of spaces. An MCU is usually the chip with the most connection pins on the PCB and the track density around the MCU is generally very high.
Most MCUs offer multiple functions on one pin and quite often the required I/O functions cannot be made available at the same time and the only solution here is to use an MCU with more pins. The ‘I/O re-location’ feature offered by the series, allows any one of a number of I/O functions to be ‘moved’ to multiple connection pins ( Figure 5).
This can make things much easier for the PCB layout specialist, because related functions can be grouped more logically on the PCB resulting in fewer vias and reduced track density. It may be possible to use a smaller MCU package or even to reduce the number of PCB layers – thereby significantly cutting costs.
A range of functions that permanently monitor certain MCU components are used for detecting hardware faults. With the MB91F526L, this category includes a voltage monitor as well as a function for monitoring the external crystal by means of the clock supervisor that will automatically switch to the internal RC clock if a fault on the external crystal is found.
Also falling into this category are the functions for safe-guarding all internal memories such as program flash, RAM and the dedicated flash for E2PROM emulation by means of the error correction code (ECC) circuit, which detects and corrects memory errors upon access.
However, it is inadvisable to rely solely on the ECC, because its major weakness is that it only detects and corrects data when the memory cells are being accessed.
But how are errors detected in memory areas that are rarely accessed? This is where the integrated cyclic redundancy check (CRC) generator and a DMA channel can come into play. By means of DMA, data can be read from the flash memory and supplied to the CRC generator where the calculated checksum can be compared against a stored value.
The ECC can correct memory errors during the check, but the CRC generator also detects errors that the ECC cannot correct. Using individual or a combination of measures enables the system to detect memory errors and to take appropriate measures.
Hardware monitors the software
The focus in the past has been on detecting and preventing hardware faults; an equally strong focus is now being placed on detecting and preventing software errors. This is of huge importance, particularly nowadays when projects are being developed at a multi-national level in different locations. These software modules have to be combined – with greater or lesser outlay – at a later stage.
This can be a tricky process and the need for additional software monitoring with the help of hardware functions is becoming ever stronger.
These monitoring functions can be implemented in different ways. Following a reset, the CPU always starts in ‘privilege mode’ so that the entire system can be initialised, including the ports, communication interfaces and various safety settings.
The operating system, which initialises and, if necessary, starts, stops or continues the individual tasks, would also run in this mode.
The tasks themselves run in ‘user mode’ and have limited or no rights to change system parameters and hardware initialisations, either intentionally or accidentally in the case of a software error.
A Memory Protection Unit (MPU) ensures that tasks only access their allowed storage areas. Any attempts to access other, blocked address areas are reliably detected, prevented and signalled to the operating system.
Eight address areas of variable size and the enabled access types can be defined for this purpose. When doing so, programmers can specify whether the task is able to execute code in the enabled areas or whether data can be read and/or written.
Hardware watchdog implementation feature
A hardware watchdog is implemented in addition to the standard software watchdog and can in most cases substitute an external watchdog chip. The fundamental difference between the software and hardware watchdog is that the latter is clocked by an independent RC oscillator and, once started automatically, cannot be stopped by means of software.
The separation of ‘user’ and ‘privilege’ mode in itself offers a high level of protection against tasks ‘running wild’, because safety-relevant memory and register operations are possible in privilege mode only.
The MPU and hardware watchdog offer additional safety because they monitor the behaviour of the tasks, reliably signal any erroneous functions and/or trigger a system reset.
The versatility of modern microcontrollers is a key criterion for their use in automotive platforms. On the one hand, system manufacturers can reduce the diversity of variants and leverage considerable savings potential, thanks to the standardisation of hardware and software platforms.
On the other hand, manufacturers of microcontrollers can boost product desirability and expand the range of product applications by offering intelligently designed functionality while simultaneously ensuring scalability of memory capacity and package variants.
Today, systems and microcontroller manufacturers alike are obliged to give special consideration to safety and cost factors, and consequently have to successfully walk the tightrope between flexibility and excessive- often cost-driving complexity.
Fujitsu Semiconductor Europe
