Enabling functionally safe and secure electric automotive powertrains using C2000™ real-time MCUs

Jürgen Belz, senior consultant, functional safety and cybersecurity at Prometo, co-authored this technical article.

The migration from internal combustion engines (ICEs) to electric vehicles (EVs) requires at least five new electrical/electronic/programmable electronic (E/E/PE) systems. Figure 1 depicts these systems within an EV. 

Figure 1: Block diagram of a typical EV powertrain 

In order to zero out tailpipe emissions and reduce continued reliance on fossil fuels, refuelling EVs happens at a charging station. These EV charging stations could be supplied with renewable energy sources like solar and wind, which increases the positive impact of EVs on the environment. The onboard charger forms a functional unit with the high-voltage battery, which ensures fast, efficient charging while still protecting the battery from overcharging. These and other safety requirements are described in International Organization for Standardization (ISO) 6469 parts 1, 2 and 3 – the standard that governs the high-voltage electrical safety requirements for electric road vehicles. 

All Electronic Control Units (ECUs) in an EV require a 12-V battery charged by a high-voltage-to-low voltage DC/DC converter, which helps establish galvanic separation between the low-voltage (12-V) battery and the high-voltage (400 V or 800 V) battery. The inverter and the electric machine (propulsion motor) deliver torque for controlled motion. Very compact and high-power-density permanently excited synchronous machines are usually deployed in an EV propulsion motor. At lower power levels, asynchronous machines have found limited use in EVs. Functional safety aspects of this high-voltage-to-low voltage DC/DC converter help guarantee the operation of all ECU features while the EV is in motion and the EV Traction Inverter (EVTI) are outlined in ISO 26262:2018. 

For instance, for a vehicle with an ICE, the operating time (or power-on hours) of a semiconductor component is between 8,000 and 10,000 hours. With an EV, this increases to 30,000 hours or more. The reason: semiconductor components have to remain powered up not only when the vehicle is being driven, but also when the vehicle is charging. This amount of power influences, for example, the calculation of the probabilistic metric for random hardware failures according to ISO 26262. For engineers, this amount of power means that they must develop a system that on average has a fivefold lower probability of dangerous component failures or failure in time.

 In an electrified powertrain, the C2000™ real-time microcontroller (MCU) typically addresses power conversion and communicates with a general-purpose MCU connected to the bus vehicle, managing the highest level of security, shown in Figure 2.

 

Figure 2: C2000 real-time control in an electric powertrain 

You might still want to consider encrypted communication between the communication MCU and the C2000 real-time controller, typically used for over-the-air upgrades. In such cases, you need to assess the threat level and define a security strategy at the system level to leverage the various security enablers that the C2000 real-time MCU offers, listed in Figure 3. 

Figure 3: C2000 supported enabler status

Some of the technical features supporting these security enablers include:

  • The ability to protect memory blocks.
  • Memory zone ownership by bus masters such as the C28x central processing unit (CPU), control law accelerator and direct memory access.
  • Execute-only protection for certain memory regions (with callable secure copy and secure cyclic redundancy check software Application Programming Interface functions available in the boot read-only memory).
  • Protecting the CPU from improper access through debugging ports and logic while it is executing code from secure memory regions (also called secure Joint Test Action Group).
  • Unique identification for each product.
  • Hardware acceleration engine for 128-bit Advanced Embedded Standard (AES) encryption.
  • Secure boot.

Conclusion

Because the electric drives or voltage converters have to be functionally safe, high-voltage safe, power-efficient and cost-effective, the challenges and complexities increase exponentially. Designing with C2000 real-time MCUs can help solve these challenges by giving EV charging designers the option to use a single device that enables all of these requirements.

Additional resources

Anonymous