AVR Freaks

Aeronautical and automotive grade microcontrollers are often NOT unique designs but are simply tested over a wider temperature range; lower minimum and higher maximum temperatures than standard industrial grade.

 

There are other factors such as vibration, that ARE package design decisions. 

 

Other things such as surge voltages and EMI are the responsibility of the  circuit designer. We know a lot more about surge and EMI than even 10 years ago, and it is more and more common to design about these things at the very beginning.

 

Failure rates are very difficult to get. Most manufacturers do not release such numbers, even if they do track them, except perhaps for MIL-SPEC requirements. Even product manufactures do not keep track of such things unless, perhaps, they make the product in the millions. And they certainly will not tell you. That would be a "trade secret".

 

Jim

Same reason people drive Ford'sWhen a company makes silicon chips on the whole all examples of one model are generally created equal. However during the production they do various factory tests and if some are found to operate in a wider temperature range than others they maybe qualified as "automotive" but it's probably the very same thing really. Most manufacturers will give a MTBF (Mean Time Between Failure) which will usually suggest that the chances of silicon failing is less likely than being killed when a donkey drops out of a tree and onto your head! Silicon just does not fail. The packaging might. Certainly the soldering to the PCB might. The PCB itself might get hairline fractures in tracks and some "more analog" components may fail (such as overheated capacitors having the electrolyte dry out and fail - don't ask me how I know about this one!!). The likelihood of anything failing on the actual silicon die (as long as it's operated within published specs) is astronomic. In 40+ years and being involved in 100's of products and literally millions of units the only time I've ever known of a failure was a batch of DRAM chips from Micron that has a manufacturing fault because something was not done right one day in their fabrication factory.

Relative to bulk CMOS, avionics and LEO; there are CMOS processes that produce avionics-ready megaAVR :

Radiation Tolerant | Aerospace and Defense | Microchip Technology

Increased GCR will result in more SEU in bulk CMOS all the way to Earth's surface (a spray of particles from one GCR impact in the upper atmosphere)

 

Microchip's high-reliability MCU are a mega128, mega64M1, and one dsPIC :

High Reliability | Microchip Technology

 

---

LEO - Low Earth Orbit

GCR - Galactic Cosmic Ray ('30 is the beginning of the next grand solar minimum for, IIRC, an estimated half century in duration on a 400y period)

SEU - Single Event Upset

A brief review of Total Ionizing Dose (TID) effects and Single Event Effects

 

For a competitor, a case of beer (share the painkiller with your fellow co-workers)

New VORAGO Technologies Products | Mouser

That thin PCBA shows it's for geo-electronics (down-hole, another high reliability application)

The CubeSat board's about an order of magnitude more expensive than one with a COTS MCU.

 

http://www.pumpkininc.com/content/doc/forms/pricelist.pdf (CPU PCBA start on page 19)

via CubeSat Kit - Purchase Information

 

Scale Space Applications with COTS-to-Radiation-Tolerant and Radiation-Hardened Arm® Core MCUs | Microchip Technology

Devices enable designers to begin development with a commercial device before moving to different levels of radiation-qualified versions, reducing development time and costs

Chandler, Arizona

March 28, 2019

...

Based on the automotive-qualified SAMV71, the SAMV71Q21RT radiation-tolerant and SAMRH71 radiation-hardened MCUs implement the widely deployed Arm^® Cortex^®-M7 System on Chip (SoC), enabling more integration, cost reduction and higher performance in space systems.

...

While the SAMV71Q21RT’s radiation performance is ideal for NewSpace applications such as Low Earth Orbit (LEO) satellite constellations and robotics, the SAMRH71 offers the radiation performance suited for more critical sub-systems like gyroscopes and star tracker equipment. 

...

To protect against the effects of radiation and manage system mitigation, the architecture of the devices includes fault management and data integrity features such as Error-correcting Code (ECC) memory, Integrity Check Monitor (ICM) and Memory Protection Unit (MPU). 

...

 

Development Tools

To ease the design process and accelerate time to market, developers can use the ATSAMV71-XULT evaluation board. The devices are supported by Atmel Studio Integrated Development Environment (IDE) for developing, debugging and software libraries. Both devices will also be supported in MPLAB^® Harmony version 3.0 by mid-2019.  

 

...

SAM V71 Xplained Ultra Evaluation Kit

http://packs.download.atmel.com/#collapse-Atmel-SAMV71-DFP-pdsc

Atmel Studio 7 | Microchip Technology

MPLAB Harmony v3| Embedded Software Development Framework | Microchip Technology

 

In fact, what is reliable enough?  You have to consider the application.  For example:

 

In 1968, the assistant to the secretary of defense for atomic energy, Dr. Carl Walske, codified the safety standard for nuclear weapons:

The probability of a premature nuclear detonation of a bomb due to bomb [or warhead] component malfunctions, in the absence of any input except for specified signals (e.g. monitoring and control) shall not exceed:

(1) Prior to receipt of the pre-arm signal, for normal storage and operational environments described in the STS (Stockpile-to-Target Sequence), one in one billion) per bomb [or warhead] lifetime.

(2) Prior to receipt of the pre-arm signal, for the abnormal environments described in the STS, one in one million per bomb [or warhead] exposure or accident.26   

 

The following are safety criteria design requirements for all U.S. nuclear weapons:
Normal environment—Prior to receipt of the enabling input signals and the arming signal, the probability of a premature nuclear detonation must not exceed one in a billion per nuclear weapon lifetime.
Abnormal environment—Prior to receipt of the enabling input signals, the probability of a premature nuclear detonation must not exceed one in a million per credible nuclear weapon accident or exposure to abnormal environments. 

 

 

Recently I read some articles and saw some video's about the early days of semiconductors.

Making reliable transistors was a real problem and for some years vacuum tubes were more reliable than transistors.

 

10 to 15 years later there were real horror stories about whole semiconductor factories producing 100% garbage.

Yep, yield of 0% for several months in a row for a whole semiconductor factory...

 

I believe this was traced down eventualy to the use of spraying phosphor containing compound in pesticides in argiculture, which interfered with the naked semiconductors during production.

 

We've com a long way since then, but to be fair, I do not understand / comprehend that modern electronics work at all.

Some of the largest chips have 19 billion transistors on them. Think about the error rate to make something like that work...

 

Not quite an MCU but I have an 8155 here that 'forget' bits of the code blown into it. And likewise, some bipolar PROMS used as address decoders whose contents are no longer correct.

 

Both are, I suspect, related to the re-growth of fuses.

Think "bell curve".

Or perhaps, the more popular bathtub curve for semiconductors. In any case, what happens after the eventual failure is  important.  For example, traffic lights have (had?) designs such that even if the micro went wacko & ordered all the lights to turn green, it still wouldn't happen, due to some failsafes beyond the micro.   So assume certain failure will occur & prepare to mitigate "to the extent needed".   Determining that extent is often a difficult tradeoff. 

 

A vending machine that gives an extra candy bar is one thing; a flamethrower that won't shut off is another. 

In the list of failures I listed in #16, we might add noise.

 

Now, this requires a bit of dancing. IF the MCU is properly designed (that is, the various N & P channel FETs have the proper thresholds, etc) AND the power distribution system (in the chip) is properly done, AND if the external power remains within the specified voltage range (which implies proper power pin bypassing), then the MCU, itself, will NOT fail from internal noise. This is pretty much bread-and-butter technology, these days. Any device that violates these design rules does not deserve to be in the market, IMHO. 

 

BUT, external noise, especially on MCU inputs and external oscillator, CAN cause the SYSTEM to fail. This is not the same as an MCU failure, of course, though it tends to have very similar consequences. This is the kind of stuff that voltage spikes, ESD tests, and the like, for CE certification, are designed to detect. This is necessary because the hardware design technology has not yet reached the point where noise immunity is "bread-and-butter stuff".

 

So, for this particular "failure" mode, it is not, strictly speaking, the MCU. But, that said, the system really does not know the difference.

 

Jim

Product Change Notification - SYST-09HVXW011 - 10 Sep 2019 - Data Sheet - SAMV71Q21RT Radiation-Tolerant 32-bit Arm Cortex-M7 MCU

...

 

Description of Change:
1) Extends minimum operating temperature to -55°C for all package types throughout the data sheet.

2) Removes previous temperature range for Flash programming total Write/Erase specifications.

3) Eliminates USB option for SAM-BA boot programming.

4) Moves Drive Level specification (PON) for 32.768 kHz crystal oscillator from Table 58-20 to Table 58-19.

5) Moves Drive Level specification (PON) for 3 to 20 MHz crystal oscillator from Table 58-23 to Table 58-22.

6) Other minor typographic corrections throughout the document.

 

...

 

Attachment(s):

SAMV71Q21RT Radiation-Tolerant 32-bit Arm Cortex-M7 MCU

 

...