

Received November 28, 2019, accepted January 14, 2020, date of publication January 24, 2020, date of current version February 5, 2020. *Digital Object Identifier* 10.1109/ACCESS.2020.2969258

# **CAN-Based Aging Monitoring Technique for Automotive ASICs With Efficient Soft Error Resilience**

JINUK KIM<sup>®1</sup>, MUHAMMAD IBTESAM<sup>®1</sup>, DOOYOUNG KIM<sup>®1</sup>, JIHUN JUNG<sup>®2</sup>, AND SUNGJU PARK<sup>®1</sup>, (Senior Member, IEEE)

<sup>1</sup>Department of Computer Science and Engineering, Hanyang University, Seoul 04763, South Korea <sup>2</sup>Teradyne Korea, Seoul 06771, South Korea

Corresponding author: Sungju Park (paksj@hanyang.ac.kr)

This work was supported in part by the National Research Foundation of Korea Grant through the Ministry of Education, Science and Technology under Grant NRF-2017R1D1A1B03030821, in part by the Ministry of Trade, Industry and Energy under Grant 10052875, and in part by the Korea Semiconductor Research Consortium Support Program for the Development of Future Semiconductor Device.

**ABSTRACT** The modern automobile industry is rapidly shifting toward the era of self-driving cars. Due to rapid technological development, many mechanical parts in automobiles have been switched to electronic devices. Therefore, the proportion of electronic devices in modern cars is increasing. Even though many parts have been replaced by electronic devices, vehicles still require the periodic maintenance not only for mechanical parts, but also for automotive electronics. To guarantee the high reliability of automotive Application-Specific Integrated Circuits (ASICs), automotive chips are tested during manufacturing for functional and structural defects. Moreover, automobile chips are also tested using several in-field diagnostic techniques (e.g., online Built-In Self-Test (BIST), Software-Based Self-Test (SBST)) while the chips are operating. By using these in-field diagnostic techniques, functional and structural defects in automotive ASICs, which occur in the early-life cycle and normal operation, can be detected. However, automotive semiconductor devices still require testing for aging-induced defects and soft errors to prevent critical functional failures. Moreover, aging-induced defects are hard to detect with conventional in-field diagnostic techniques which is based on BIST techniques. Thus, this work presents a secure Controller Area Network (CAN) -based Test Access Mechanism (TAM) for aging defect diagnosis with efficient soft-error resilient scan cell design for automotive ASICs. The proposed TAM incurs area overhead of 6% to 9% depending upon the selection of mode identification. Further, the proposed Aging monitoring and Soft Error Resilience Flip Flop (ARFF) incurs 22% less area and power as compared to separate implementation of the Built-In Soft Error Resilience (BISER) and the Early Capture Flip Flop (ECFF).

**INDEX TERMS** Aging, diagnostics, automotive electronics, testing, TAM, CAN.

## I. INTRODUCTION

As automotive ASICs replace the mechanical devices in vehicles, the proportion of electronic devices in modern vehicles continues to grow. Recently, more ASICs are embedded in automotive systems to meet customer demand for comfort, safety, enhanced fuel efficiency, and even driving support [1], [2]. Thus, both functional integrity and reliable operation are necessary for automotive electronic devices. To ensure higher reliability of automotive semicon-

ductors, production testing of devices is required during the manufacturing process. ISO 26262 establishes a standard for safety system to decrease the hazard caused by LSI logic failures [31]. For some critical real-time ASICs which requires high reliability, a periodic test or diagnostic is needed to prevent the failure of the device that is induced by functional or structural defects. In addition, automotive ASICs must be tested for aging defects after its reliable lifetime. Generally, aging defects are caused by hot-carrier injection (HCI), negative/positive-bias temperature instability (NBTI/PBTI), time-dependent dielectric breakdown (TDDB), chip package interaction (CPI), electro-migration (EM), and stress

The associate editor coordinating the review of this manuscript and approving it for publication was Flavia Grassi.

migration (SM) [3]. As the automotive ASIC technology has downscaled under 20 nm, their reliable lifetime is expected to be up to five years [4]. Moreover, aging can even accelerate in automotive ASICs that are exposed to harsh environments, making them prone to aging-induced defects. The effect of aging can be detected as a signal delay [5]. As a result of aging defects, either performance degradation or the critical failure can occur during functional operation after its reliable lifetime.

To prevent functional failure and test the automotive chips during normal operation, several in-field diagnosis techniques like online BIST [6], SBST [7] are adopted. Also, on-board diagnostic (OBD) systems are widely used for maintenance [8]. However, defects that are induced by aging are hard to diagnose using these in-field diagnosis techniques without using additional aging detection techniques.

Therefore, this paper introduces a (1) CAN-based test access mechanism to perform periodic aging defect diagnostics of automotive semiconductors, and an (2) efficient aging monitoring scan flip-flop with soft-error resilience.

### **II. RELATED WORKS**

Semiconductor devices are tested at several stages to ensure functional integrity. Manufacturing testing (e.g., scan testing) is performed at several fabrication stages to detect defects before the chips are assembled and shipped [9]. Several standards [10]–[12] have been adopted to test semiconductors. By performing manufacturing tests, functional and structural defects that are induced during fabrication can be tested. However, automotive electronics are especially prone to errors [13] even though the devices are verified during manufacturing testing. Furthermore, automotive semiconductors can be damaged by exposure to harsh environments (e.g. high-temperature, humidity, shock, vibration). Sometimes, defective products with early-life failure may be detected after shipping. Besides, aging-induced failure may also occur in devices as the chip is used for longer time periods [14].

For functional testing of automotive systems, Choi *et al.* [15] suggested a test data reduction technique, and Zhang *et al.* [13] presented diagnostic and prognostic methods for connected vehicles based on functional testing. For structural testing of chips, Cook *et al.* [16] introduced a scan test method for assembled automotive semiconductors that utilizes the scan test circuitry embedded for manufacturing testing.

Firouzi *et al.* [17] introduced a method for re-using BIST to monitor circuit aging, which uses a software-based prediction model. The captured stress information is fed to the software in real-time, and this information is used to train the prediction model in offline by using vector regression. After the prediction model is trained by gathered feedback, an aging mitigation technique is proactively activated. However, long-term performance drift induced by aging should be monitored on-line to prevent fatal accidents [13]. Oliveira *et al.* [18] proposed an on-line BIST-based performance failure prediction that uses an additional aging sensor. Reimann *et al.* [7] proposed a methodology for testing automotive chips during operational mode by scheduling BIST and SBST. However, the test interfaces for design-fortestability (DFT) like scan testing, BIST [10], [11], [19], [20] may be disconnected for some chips due to either lack of connecting pads(pins) or security issues [21]. Therefore, access for DFT circuitry in automobile ASICs is not available for some chips. In this case, it is hard to detect the root causes of defects that already occurred, or potentially have the chance of defects. Moreover, ensuring high reliability of automotive ASICs is a tough issue without diagnosing chips periodically on-line because the faults that occur in vehicular ASICs are infrequent, intermittent, and unexpectable [13].

OBD techniques have been widely adapted for automotive applications and have steadily improved in capability and standardization [22]. Users can access vehicle subsystems via installed sensors. However, since the modern automobile is more like an electronic device that integrates hundreds of microprocessors, OBD systems may not be sufficient to maintain the reliability of automobile system. Thus, an extended test access mechanism is required to guarantee high reliability of automotive system and to diagnose various faults that occur in hundreds of automotive ASICs.

## **III. BACKGROUNDS**

Modern cars consist of almost hundred Electronic Computer Units (ECUs) for handling different functionalities in a car ranging from simple functions, e.g., door locking, to highly sophisticated functions, e.g., Advanced Driving Assistance Systems (ADAS). These functions are generally categorized into four categories (1) Body functions (e.g., lighting), (2) Chassis functions (e.g., braking), (3) Powertrain functions (e.g., traction control) and (4) Infotainment and connectivity (e.g., navigation) [32]. The ultimate goal in automobile industry is to achieve level 5 autonomy as described in [33]. Level 5 autonomy is fully autonomous vehicle, which does not require human intervention. Progressing towards full autonomy, many ADAS processors have been proposed [34], [35]. However, ISO 26262 requires Automotive Safety Integrity Level-D, which refers to the highest level of safety, for many functionalities in level 5 autonomy. Controller Area Network (CAN), Local Interconnect Network (LIN), FlexRay and /or Ethernet can be used for communication between different ECUs.

## A. CONTROLLER AREA NETWORK (CAN) AND CAN CONTROLLER ARCHITECTURE

CAN [23] is an asynchronous serial communication bus that uses an event-triggered protocol. CAN delivers the messages using message IDs and ensures conflict-free transmission and high immunity to electromagnetic field interference. If a CAN frame is broadcasted to a CAN bus, each node checks the 11-bit (CAN 2.0A) or 29-bit (CAN 2.0B) arbitration field (ID field) and only the target node receives the message.

There are four types of CAN frames: data, remote, error, and overload. The data frame delivers frames from the source

node to destination node. And, remote frame is transmitted when certain node requests specific parameter data from the other nodes. As a result, the associate node transmits a data frame as a response. An error frame is transmitted when any error occurs during data transmission. If any error frame is broadcasted on the CAN network, all erroneous message transmission is stopped, then the interrupted transmission is handled at the next transmission stage. The overload frame indicates that current message transmission is not completed. If any overload frame is broadcast on the network, the next message transmission is delayed until the current transmission is completed.

The message can contain specific system parameter values such as engine temperature, RPM, etc. Each parameter has a unique ID in the network that is also used for arbitration for the corresponding messages. Recent automobiles embed around 100 micro-processors in their automotive system, which has a unique ID for each node. In a CAN network, a message ID with lower value has the higher priority. Therefore, the node that has lower priority switches to receive mode until the CAN network becomes idle and attempts the transmission later.



FIGURE 1. CAN node architecture.

Figure 1 shows the CAN node architecture. It includes a host processor unit, a CAN communication controller, a differential bus transceiver, memory blocks, standard interfaces, and various IP blocks. Several CAN controllers are commercially available, both as a stand-alone product or integrated with a processing unit. These controllers use the message mailbox or message object concept [25], in which messages are stored in RAM after they are received or before they are transmitted. At the CAN node level, the messages that will be transmitted are queued in TX-object, and the message with highest priority is transmitted first.

## **B. SCAN TESTING**

Scan testing is the most common DFT technique used for testing of semiconductors. Typically, IEEE std. 1149.1 JTAG [10] and IEEE std. 1500 wrapper [11] is adopted by most semiconductors. JTAG was initially proposed for the testing of interconnections between chips at board-level; however, it has been widely adopted as a test access port (TAP) for the debugging of integrated circuits. JTAG provides access via I/O pins, and the internal logic is controllable by shifting test data in the scan chain that is composed of scan flip-flops. A chip is tested by accessing corresponding instructions and the test data register (TDR) of JTAG via the TAP controller or wrapper data register (WDR) via WTAP controller, TAP controller of wrapper interface. Figure 2 and Figure 3 shows an example of boundary scan cells stitched in a scan chain and the architecture of a regular boundary scan cell.



FIGURE 2. Example of boundary scan.





For the ever-increasing number of IPs and design size of modern SoCs, flatten test controller for the test legacies through JTAG is not sufficient. Thus, IEEE std. 1500 [11] was proposed to provide hierarchical access to IP cores by isolating each IP cores from the entire design. By integrating JTAG and IEEE std. 1500, the core-level modular test is available as illustrated in Figure 4.

However, in most cases the test interfaces are disconnected after production testing because of the limited number of connecting pads and also to avoid malicious attacks [21]. Therefore, this paper presents a CAN-based test access mechanism and aging level diagnosing method via a CAN network by using modified aging monitoring scan cell.

## C. SOFT ERROR RESILIENCE AND AGING MONITORING

Soft error resilience and aging monitoring of electronic devices in drive-by-wire vehicles is of paramount importance, as any unexpected failure may result in fatal accident. Many researchers are focusing on the aging monitoring and soft error resilience such as in [26], [27], [29]. References [26], [27] proposed BISER circuitry, for non-memory circuitry, to be resilient from soft errors. The soft errors



FIGURE 4. Test access mechanism via IEEE standards [10], [11].



FIGURE 5. The built-in soft error resilience (BISER) for a flip-flop design.

on combinational logic, latches, and flip-flops produce an unwanted signal pulse, which may change their values. This can be avoided by utilizing BISER based flip-flops (BISER-FF).

Figure 5 shows structure of a BISER-FF. The data from the combinational logic traverses through normal and shadow flip-flops (delayed) in parallel, and the stored value in both flip-flops is fed into a C-element and stored into a keeper. When both input of a C-element are equal, the value of the output becomes inverted, otherwise it is floating [28]. Therefore, since the pulse width of the unwanted signal is very short, due to the delay element, the C-element blocks it and the previous value stored in the corresponding keeper is forwarded.

Figure 6 shows the structure of an ECFF. The input value (DI) is stored into a DFF on the rising edge of the clock and into an ECFF on its falling edge, and the capturing timing can be controlled by the duty-cycle adjustable clock generator. Stored values are compared with exclusive-OR gate and the result is stored into the succeeding or the following ECFF through ECSO / ECSI (early capture scan-in / scan-out). A logic HIGH (1) indicates aging and its location. Those ECFFs are stitched into a separate scan chain, which is used for unloading the monitored results.



FIGURE 6. The early capture flip-flop (ECFF) design [29].

## IV. PROPOSED AGING DEFECT DIAGNOSTIC METHOD THROUGH A CAN-BASED TEST ACCESS MECHANISM A. CAN-BASED TEST ACCESS MECHANISM

For the maintenance of automotive ASICs via CAN network, the test data transmitted through the CAN should be shifted to a TAP controller. However, the test must not affect the normal operation to prevent unexpected failure. Thus, the operational mode should be switched to maintenance mode for the maintenance of automotive ASICs. Once the mode is switched to maintenance mode, the test data and result is transmitted through the CAN network between the test equipment and the test controller in the automotive ASICs.

The basic CAN controller has two buffers: the temporary data buffer and the general CAN buffer. The temporary data buffer stores the payload data of the incoming message until acceptance of the associated ID is verified. The contents of the temporary buffer are forwarded to the general CAN buffer when the associated ID is accepted. The master node of the network is notified that some valid data is stored in the general CAN buffer by either an interrupt or polling.

Figure 7 shows the architecture of the proposed CAN-based maintenance interface. In this interface, a test data buffer is added to prevent interference between functional operation message and test-related message. After the message ID is identified by the test controller and the CAN node is switched into maintenance mode, any test-related message is verified whether the message contains a corresponding ID for test stimulus or test response. Then, data contained in the test-related message will be shifted into the TAP controller and the scan chain (JTAG interface) via the test controller interface.

The proposed maintenance interface supports the structural test and aging monitoring of individual IP blocks via the CAN network. The connected nodes have a considerable number of dedicated IDs for maintenance. For example,



FIGURE 7. Proposed CAN-based maintenance interface.

a system that contains *n* IP blocks (nodes) needs 2*n* dedicated IDs for maintenance: n-IDs for test stimuli messages, and n-IDs for test result messages. Although there are up to  $2^{11}$  (CAN 2.0A) or  $2^{29}$  (CAN 2.0B) IDs and a significant number of unused message IDs are available between in the CAN network, the number of usable message ID can be limited because the ID field can be divided into several subfields. Each subfield can have dedicated purpose [22]. Thus, the number of message IDs that is used for maintenance should be not allowed to avoid malicious attacks, like [24].

To reduce the number of message IDs used for maintenance mode and to prevent unauthorized access, we propose a mode identifier, which switches the operation mode into maintenance mode based on either the reserved bit or the dedicated message ID for maintenance mode. By using the proposed mode identifier, access privilege of test-related circuitry is limited to authorized users that have appropriate dedicated test mode IDs.

Reserved bit (R-bit) based mode is implemented with two flip-flops (r0, r1), two AND gates, and an inverter, as shown in Figure 8. The R-bit in the CAN frame is sampled by flip-flops from message according to the bit position which is counted by the CAN transceiver. The *maintenance\_mode* signal represents the operation mode. This signal becomes HIGH (1) when "10" is sampled in the flip-flops from the CAN frame, and the ID acceptance check is successful. However, if any incoming message has the R-bit of "00", the *maintenance\_mode* signal goes LOW (0). Then the operation mode of nodes is switched to the functional mode (normal operation mode).



FIGURE 8. Implementation of R-bit based mode identifier.

As illustrated in Figure 8, hardware implementation of R-bit based mode identifier is easy to use and requires less overhead because its architecture is very simple. However, usage of the R-bit reduces the expandability of the CAN protocol. Especially, it conflicts with [30], an international standard for hybrid usage of both CAN and CAN-FD in a system. In such case, the R-bits are already used for distinguishing a CAN and a CAN-FD. As a result, R-bit based mode identifier is only available in a network that only supports CAN protocol.

Instead of using R-bits, maintenance-ID (M-ID) based mode identifier uses a dedicated maintenance ID for activating maintenance mode. Thus, M-ID based mode identifier does not limit future expansion of CAN protocol. It also does not require significant overhead for the CAN network because it needs only a single comparison of received messages. However, M-ID should not be used for any functional operation in every connected node of the CAN network. While the operation mode is switched to maintenance mode, IDs for connected nodes are reused to address a specific IP block.



FIGURE 9. Implementation of M-ID based mode identifier.

Figure 9 illustrates the hardware implementation of M-ID based mode identifier. Any message containing M-ID triggers a CAN node to switch modes between functional mode and maintenance mode. The ID of the incoming message is bitwise compared with the ID in the M-ID register using an XOR gate. If any bit position is mismatched, then the value of the flip-flop goes HIGH; otherwise, it remains LOW. After the ID comparison, the output of the flip-flop decides the operational mode. If the output is LOW, the *maintenance\_mode* signal is toggled; otherwise the *maintenance\_mode* signal retains its value. Thus, a message with dedicated M-ID is required to switch the mode between functional mode and maintenance mode.

## B. AGING DEFECT DIAGNOSIS VIA SOFT-ERROR RESILIENCE AGING MONITORING FLIP-FLOP

For diagnosis of aging defect in automotive semiconductor, the scan chain used for manufacturing testing can be reused. Since the aging defect can be detected as a signal delay at a signal transition [3], the scan chain can be reused if scan cells are modified to aging monitoring scan cells. In such case, the diagnostic result can be accessed via the CAN network using the proposed test access mechanism.

By merging two representative aging monitoring methods [26], [27], [29] into a regular boundary scan cell, the proposed flip-flop in this paper can measure the present performance of the chip and determine the aging level. Moreover, when the flip-flop is not operated in the aging monitoring mode, soft errors can be tolerated. Also, its cell architecture and functional features are almost the same a regular boundary scan cell because only two C elements, two shadow latches, and two keepers are added to monitor the aging level.



FIGURE 10. The proposed aging monitoring and soft error resilience flip-flop (ARFF) design. (a) Schematic (b) modified Celement.

Figure 10 (a) shows a schematic of the proposed ARFF. There are four latches, which are used in ARFF and BISER-FF. The C-element shown in Figure 10 (b) has been modified to be controlled by a control signal. Instead of a delay element, multiplexer is used. In case of a NAND and AND gate that generates the AR and SS signal respectively, they can be shared by a small number of locally adjacent flip-flops. The aging monitoring mode or soft error resilience mode is determined by the AR signal. The monitoring mode is divided



FIGURE 11. Timing diagram of ARFF operation.

into monitoring launch mode, monitoring capture mode and monitoring shift mode. All these four states are decided by ARSE1 and ARSE2 control signals.

Figure 11 shows the timing diagram of ARFF operation. There are two scan enable signals, ARSE1 and ARSE2. When the ARSE1 becomes '1' after a rising edge, the compared result is captured at the following rising edge in the flip flop. It is stored in the flip flop so that the comparison does not change after the shadow latch stores a new value at the rising edge. On the subsequent falling edge, the stored comparison is shifted out to the next scan cell. After finishing the aging monitoring mode, ARSE1 becomes '0'.

#### C. IMPLEMENTATION USE CASE

In this section, we introduce a simple use case of the proposed TAM. Figure 12 shows a simple use case of a CAN controller with the proposed maintenance feature. As illustrated in Figure 1, the node is composed of a microprocessor, memory modules and a basic CAN controller. Some scan cells attached to the boundary of the processor are replaced by the proposed ARFF. Thus, the device is tested for aging defects and the aging level information is transferred via the CAN network by transmitting the test response message.

The shaded blocks represent the additional circuitry for the CAN controller with the proposed TAM. It requires a test controller interface with two test controller access switches (TCAS), two polling registers for each test controller, and a test data buffer. The operation mode identifier is required to switch the nodes into either functional or maintenance mode. This operation mode identifier can be either an R-bit based mode identifier or an M-ID based mode identifier.

To test a certain target node, test data is transmitted via the CAN network. Test data includes either test stimuli (test pattern) or test responses from the target design. Therefore, the proposed TAM supports both delivering the test stimuli from the test equipment to a specific IP block and transferring the test responses from a specific IP block to the test equipment. To distinguish test stimuli and responses, different types of CAN frames are used: data frame for test stimuli, and remote frame for test response. Data frame and remote frame can be identified by the "RTR" bit of the CAN frame [24].

The data frame with a valid ID for a specific IP block indicates that the message frame contains the test stimuli for



-

FIGURE 12. Simple use case of CAN controller with the proposed maintenance feature.

#### TABLE 1. Area overhead compared with other aging monitoring cells.

| FLIP-FLOP TYPE  | Area            |       |
|-----------------|-----------------|-------|
| TEII-FEOI TITE  | um <sup>2</sup> | %     |
| BISER-FF        | 25.6            | 61.84 |
| ECFF            | 24.8            | 59.90 |
| ARFF (proposed) | 41.4            | 100   |

#### TABLE 2. Power Overhead Comparison with other cells.

| FLIP-FLOP TYPE  | POWER |       |
|-----------------|-------|-------|
|                 | UW    | %     |
| BISER-FF        | 19.60 | 76.4  |
| ECFF            | 11.71 | 45.64 |
| ARFF (proposed) | 25.66 | 100   |

a specific IP block. When the test of a node is completed, test equipment requests a test response by broadcasting a remote frame with a valid ID for a specific IP block. After receiving the remote frame, the test controller interface loads the test responses stored in the test data buffer to a temporary data buffer of the CAN controller. Then, the CAN controller of the target node issues a frame for transmitting the test responses to the test equipment. Finally, users can check the test result by extracting the data of the received test response.

## D. AREA AND POWER OVERHEAD

To get a better idea of the area overhead, the area overhead has been calculated separately for both the controller and the ARFF. Table 1 shows the area of each flip-flop. The TSMC 65nm library and Synopsys Design Compiler have been used. Similarly, all flip-flops have been compared under the same conditions. The BISER-FF and ECFF are 38.16% and 30.10% smaller than ARFF, however, the area of each approach individually (BISER-FF+ECFF) is 21.74% larger than ARFF. Additionally, in our proposed TAM, not all scan cells need to be replaced with the proposed ARFF. Thus, only the scan cells which are attached to the critical path need to be replaced, thus incurring less overhead to design.

#### TABLE 3. Area overhead of the CAN controller with the proposed TAM.

| BLOCK NAME                      | Gate<br>Count | Overhead (%) |
|---------------------------------|---------------|--------------|
| Basic CAN controller            | 20643         | -            |
| M-ID based mode identifier      | 776           | 3.76         |
| R-bit based mode identifier     | 41            | 0.20         |
| Test data buffer                | 823           | 3.99         |
| Test controller interface logic | 176           | 0.84         |

The average power consumption of BISER-FF, ECFF and ARFF has been tabulated in Table 2. These calculations have been done using HSPICE and SAED 90nm iPDK library. As the ARFF works in either aging monitoring mode or Soft error resilience mode, so, the higher power consumption has been taken for comparison. ARFF consumes 22% less power when both BISER-FF and ECFF are implemented together.

The area overhead of each block of the CAN controller with the proposed TAM is presented in Table 3. The hardware size is given in terms of gate count, which represents the number of two-input NAND gates. The area overhead is relative to the size of the original CAN controller.



FIGURE 13. Simulation waveform showing test mode activation, test data delivery and the test response collection.

The M-ID based mode identifier is larger than the R-bit based mode identifier due to additional FSM and bit-wise comparison of the ID of the incoming message with the M-ID. Among maintenance blocks, the test data buffer (TDB) consumes the largest area. It consumes about 4% of the original CAN controller area. Even though a node has multiple test controllers, the TDB can be shared among them. Consequently, the overall hardware overhead is about  $5\sim10\%$  of the original CAN controller according to the number of test controllers.

## E. SIMULATION RESULTS

To verify the diagnostics through the CAN controller with proposed TAM, a node with the CAN controller is simulated using Mentor ModelSim 10.1b, as depicted in Figure 13. The operation of both M-ID based operation mode identifier and R-bit based operation mode identifier are easily understood. Since their waveforms are very lengthy to depict, the simulation focuses on the operation of the test data delivery and the test response collection.

The test clock signal, TCK, is generated by dividing the operational clock (*clk*) of the CAN controller by two, because there are only two inputs of the TAP controller: TDI and TMS. The simulation waveform can be categorized into test data loading (dotted line box), test data delivery (red solid line boxes) and test response collection (blue solid line box). To load the data segment of the received CAN frame into the test data buffer (*tbuf*), the CAN maintenance controller activates the *tbuf\_load* signal as soon as the operation mode is switched into maintenance mode, which is indicated by the test mode (*maintenance\_mode*) signal. After loading the test data into *tbuf*, the CAN maintenance controller issues the *tx\_start* signal, which initiates the test data transmission from the *tbuf* to the activated test controller.

In this case, since the ID of the received CAN frame is matched with the acceptance ID of test controller 1, the CAN maintenance interface activates only the CAS of controller 1 by setting the value of *test\_acf* (test acceptance filter) to "10". Therefore, the test interface signals for test controller 2 are suspended. Only the TDI and TMS signals are routed from *tbuf* [4][0] and *tbuf* [0][0], respectively, to test controller 1. Simultaneously, the TDO output from test controller 1 is stored into *tbuf* [3][7]. Thus, both test data delivery and test response collection progress during the transmission of test data messages. To fetch the test response, the test equipment sends a test response remote frame.

The simulation of ARFF has been done on the Synopsys Custom Compiler using SAED 90nm iPDK library. Physical layout has also been done to verify the timing issues. Figure 14 (a) shows the simulation results for the soft error resilience in two shadow latches attached to the C\_element. The error has been generated by inserting XOR gates after the latches and the value of either latch has been inverted turn by turn for logic value 0 and 1. The C element output verifies the soft error resilience of the ARFF. Figure 14 (b) shows the simulation results of the aging monitoring of a case where the early capture is 0 and normal capture is 1, which is emulation of aging. The comparison is carried out at the falling edge after SS is switched to logic 1. While SS is 1, the comparison result is stored back in q2 (from Figure 10(a) at the subsequent rising edge. As the C\_element works as an inverter for AR as 1, thus the comparison is done between the early capture and the inverted value of normal capture. Therefore, for this case the comparison is done between a 0, an early capture, and 0, inverted value of normal capture i.e., 1, at the falling edge after ARSE1 is switched to 1, whereas, for the cases where early capture and normal capture are the same the comparison result will be 1. After physical layout, the simulation results show that no setup or hold time violations have occurred and true results are captured. Figure 14 (b) is the waveform after parasitics extractions in the custom designer.



FIGURE 14. Simulation results for proposed flip-flop that shows (a) soft error resilience, (b) aging monitoring for the case of 0 early capture and 1 as normal capture.

## **V. CONCLUSION**

A test access mechanism (TAM) architecture for testing automotive semiconductor is proposed that is applicable to CAN network. The proposed TAM provides maintenance access to the node components by switching the operation modes between functional mode and maintenance mode. The switching of operation mode can be implemented by using either R-bit based operation mode identifier or M-ID based operation mode identifier. Also, an aging level diagnosis mechanism through the proposed TAM is introduced. To diagnose the aging level of automotive semiconductor, regular scan cells are replaced by aging monitoring scan cells with enhanced soft-error resilience as well. Thus, soft errors can be mitigated by using proposed aging-monitoring cell, and the aging level information of the connected node is diagnosable via the proposed TAM. With these techniques, early-life failures and the aging-induced defects in automotive semiconductors can be detected and diagnosed even after the chips are shipped. Also, aging-induced defects can be predicted easily, and more detailed aging level information is available through the CAN network. Therefore, it is expected that the reliability of automotive semiconductors is enhanced by adding soft-error resilience to the critical path and performing periodic maintenance via the proposed TAM. In future work, big data analysis of various diagnostic information gathered via the proposed TAM can further improve the reliability of automotive semiconductors.

#### REFERENCES

- D. Gessner, M. Barranco, and J. Proenza, "Design and verification of a media redundancy management driver for a CAN star topology," *IEEE Trans. Ind. Inf.*, vol. 9, no. 1, pp. 237–245, Feb. 2013.
- [2] V. Prasanth, D. Foley, and S. Ravi, "Demystifying automotive safety and security for semiconductor developer," in *Proc. IEEE Int. Test Conf. (ITC)*, Oct. 2017, pp. 1–10.
- [3] J. Jung, M. A. Ansari, D. Kim, H. Yi, and S. Park, "On diagnosing the aging level of automotive semiconductor devices," *IEEE Trans. Circuits Syst.*, *II, Exp. Briefs*, vol. 64, no. 7, pp. 822–826, Jul. 2017.
- [4] F. Oboril and M. B. Tahoori, "Cross-layer approaches for an aging-aware design of nanoscale microprocessors," in *Proc. IEEE Int. Test Conf. (ITC)*, Oct. 2015, pp. 1–10.
- [5] K. K. Kim, W. Wang, and K. Choi, "On-chip aging sensor circuits for reliable nanometer MOSFET digital circuits," *IEEE Trans. Circuits Syst.*, *II, Exp. Briefs*, vol. 57, no. 10, pp. 798–802, Oct. 2010.
- [6] Y. Maeda, J. Matsushima, and R. Press, "Automotive IC on-line test techniques and the application of deterministic ATPG-based runtime test," in *Proc. IEEE 26th Asian Test Symp. (ATS)*, Nov. 2017, pp. 237–241.
- [7] F. Reimann, M. Glaß, J. Teich, A. Cook, L. R. Gómez, D. Ull, H.-J. Wunderlich, P. Engelke, and U. Abelein, "Advanced diagnosis: SBST and BIST integration in automotive E/E architectures," in *Proc. 51st Annu. Design Autom. Conf. Design Autom. Conf. (DAC)*, 2014, pp. 1–6.
- [8] J. Siegel, R. Bhattacharyya, A. Deshpande, and S. Sarma, "Vehicular engine oil service life characterization using On-Board Diagnostic (OBD) sensor data," in *Proc. IEEE SENSORS*, Nov. 2014, pp. 1722–1725.
- [9] J. Zeng, M. Abadir, G. Vandling, L.-C. Wang, S. Karako, and J. Abraham, "On correlating structural tests with functional tests for speed binning of high performance design," in *Proc. 5th Int. Workshop Microprocessor Test Verification (MTV)*, Jan. 2006, pp. 103–109.
- [10] IEEE Standard Test Access Port and Boundary Scan Architecture, IEEE Standard 1149.1-2013 (Revision of IEEE Standard 1149.1-2001), 2013, pp. 1–444.
- [11] IEEE Standard Testability Method for Embedded Core-Based Integrated Circuits, IEEE Standard 1500-2005, 2005, pp. 1–136.
- [12] IEEE Standard for Access and Control of Instrumentation Embedded Within a Semiconductor Device, IEEE Standard 1687-2014, 2014, pp. 1–283.
- [13] Y. Zhang, G. Gantt, M. Rychlinski, R. Edwards, J. Correia, and C. Wolf, "Connected vehicle diagnostics and prognostics, concept, and initial practice," *IEEE Trans. Rel.*, vol. 58, no. 2, pp. 286–294, Jun. 2009.
- [14] E. Cannon, A. Kleinosowski, R. Kanj, D. Reinhardt, and R. Joshi, "The impact of aging effects and manufacturing variation on SRAM softerror rate," *IEEE Trans. Device Mater. Relib.*, vol. 8, no. 1, pp. 145–152, Mar. 2008.
- [15] K. Choi, J. Luo, K. R. Pattipati, S. M. Namburu, L. Qiao, and S. Chigusa, "Data reduction techniques for intelligent fault diagnosis in automotive systems," in *Proc. IEEE Autotestcon*, Sep. 2006, pp. 66–72.
- [16] A. Cook, D. Ull, M. Elm, H.-J. Wunderlich, H. Randoll, and S. Dohren, "Reuse of structural volume test methods for in-system testing of automotive ASICs," in *Proc. IEEE 21st Asian Test Symp.*, Nov. 2012, pp. 214–219.
- [17] F. Firouzi, F. Ye, A. Vijayan, A. Koneru, K. Chakrabarty, and M. B. Tahoori, "Re-using BIST for circuit aging monitoring," in *Proc.* 20th IEEE Eur. Test Symp. (ETS), May 2015, pp. 1–2.
- [18] R. S. Oliveira, J. Semiao, I. C. Teixeira, M. B. Santos, and J. P. Teixeira, "On-line BIST for performance failure prediction under aging effects in automotive safety-critical applications," in *Proc. 12th Latin Amer. Test Workshop (LATW)*, Mar. 2011, pp. 1–6.
- [19] L. Jin, "Scan design and DFT practices," in *Proc. IEEE 8th Int. Conf.* ASIC, Oct. 2009, p. 13.
- [20] D. Sargsyan, "ISO 26262 compliant memory BIST architecture," in Proc. Comput. Sci. Inf. Technol. (CSIT), Sep. 2017, pp. 78–82.
- [21] J. D. Rolt, G. D. Natale, M. Flottles, and B. Rouzeyre, "Thwarting scanbased attacks on secure-ICs with on-chip comparison," *IEEE Trans. Very Large Scale Integr. (VLSI) Syst.*, vol. 22, no. 4, pp. 947–951, May 2013.
- [22] C. Varun and M. Kathiresh, "Automotive Ethernet in on-board diagnosis (over IP) & in-vehicle networking," in *Proc. Int. Conf. Embedded Syst. (ICES)*, Jul. 2014, pp. 255–260.

- [23] Robert Bosch GmbH, document 50, CAN Specification, Version 2.0, Stuttgart, Germany, 1991.
- [24] K. Rosenfeld and R. Karri, "Attacks and defenses for JTAG," *IEEE Des. Test. Comput.*, vol. 27, no. 1, pp. 36–47, Jan. 2010.
- [25] Enhanced Controller Area Network (eCAN), document TMS320x280x/2801x, Texas Instruments, Dallas, TX, USA, 2009.
- [26] S. Mitra, N. Seifert, M. Zhang, Q. Shi, and K. Kim, "Robust system design with built-in soft-error resilience," *Computer*, vol. 38, no. 2, pp. 43–52, Feb. 2005, doi: 10.1109/mc.2005.70.
- [27] S. Mitra, M. Zhang, N. Seifert, T. Mak, and K. S. Kim, "Soft error resilient system design through error correction," in *Proc. IFIP Int. Conf. Very Large Scale Integr.*, Oct. 2006, pp. 332–337.
- [28] D. E. Muller and W. S. Bartky, "A theory of asynchronous circuits," in Proc. Int. Symp. Theory Switching, vol. 29, 1959, pp. 204–243.
- [29] H. Yi, T. Yoneda, and M. Inoue, "A scan-based on-line aging monitoring scheme," J. Semicond. Technol. Sci., vol. 14, no. 1, pp. 124–130, Feb. 2014.
- [30] Road Vehicles—Controller Area Network (CAN)—Part 1: Data Link Layer and Physical Signaling, Standard ISO 11898-1:2015, 2015.
- [31] Road Vehicles—Functional Safety, Int. Org. Standardization, London, U.K., 2011.
- [32] V.-M. Chiriac, C.-R. Comsa, and D. Burdia, "Safety concepts for body control automotive functionalities," in *Proc. 10th Int. Conf. Electron.*, *Comput. Artif. Intell. (ECAI)*, Jun. 2018, pp. 1–4.
- [33] Taxonomy and Definitions for Terms Related to Driving Automation Systems for On-Road Motor Vehicles, Standard J3016, SAE International, The SAE On-Road Automated Vehicle Standards Committee, 2018.
- [34] J. Han, Y. Kwon, Y. C. P. Cho, and H.-J. Yoo, "A 1GHz fault tolerant processor with dynamic lockstep and self-recovering cache for ADAS SoC complying with ISO26262 in automotive electronics," in *Proc. IEEE Asian Solid-State Circuits Conf. (A-SSCC)*, Nov. 2017, pp. 313–316.
- [35] K. J. Lee, K. Bong, C. Kim, J. Jang, K.-R. Lee, J. Lee, G. Kim, and H.-J. Yoo, "A 502-GOPS and 0.984-mW dual-mode intelligent ADAS SoC with real-time semiglobal matching and intention prediction for smart automotive black box system," *IEEE J. Solid-State Circuits*, vol. 52, no. 1, pp. 139–150, Jan. 2017.



**JINUK KIM** received the B.S. degree in computer science and engineering from Hanyang University, South Korea, in 2015, where he is currently pursuing the joint M.S. and Ph.D. degrees in computer science and engineering. His research interests include design-for-testability (DFT), memory ECC, memory test, 3D-IC testing, aging monitoring, and low-power design.



**MUHAMMAD IBTESAM** received the B.Sc. degree in electrical engineering from the University of Engineering and Technology, Taxila, Pakistan. He is currently pursuing the joint M.S. and Ph.D. degrees in computer science and engineering with Hanyang University. His fields of research interest are design for testability (DFT), low-power 3D IC/SiP testing, and low-power designs.



**DOOYOUNG KIM** received the B.S., M.S., and Ph.D. degrees in computer science and engineering from Hanyang University, Seoul, South Korea, in 2004, 2006, and 2017, respectively. From 2006 to 2012, he was with LG Electronics, Seoul, as a Research Engineer, in-charge of ASIC Front-end process. His current research interests include design-for-testability, low-power design, and IC security.



JIHUN JUNG received the B.S. and Ph.D. degrees in computer science and engineering from Hanyang University, Seoul, South Korea, in 2010 and 2017, respectively. Since 2017, he has been with Teradyne, Boston, MA, USA, for system level testing. His current research interests include design for testability, memory test, memory ECC, 3-D-IC testing, on-line test, aging monitoring, and system level testing.



**SUNGJU PARK** (Senior Member, IEEE) received the B.S. degree in electronic engineering from Hanyang University, South Korea, in 1983, and the M.S. and Ph.D. degrees in electrical and computer engineering from the University of Massachusetts, USA, in 1988 and 1992, respectively. From 1983 to 1986, he was with the Gold Star Company, South Korea. From 1992 to 1995, he served IBM Microelectronics, Endicott, NY, USA, as a Development Staff in-charge of bound-

ary scan and LSSD scan design. Since then, he has been a Professor with the Department of Computer Science and Engineering, Hanyang University, South Korea. His research interests lie in the area of VLSI testing including scan design, built-in self-test, test pattern generation, fault simulation, synthesis of test, graph theory, and design verification. He is a member of the Institute of Electronics Engineers of Korea, the Korea Information Science Society, and the Institute of Electronics and Information and Communication Engineers.

. . .