ECU architecture ensures failure safety

Marc Osajda, Freescale Semiconductor

June 17, 2011

Marc Osajda, Freescale Semiconductor

Driven by the introduction of higher value functions in cars and the continuous trend to vehicle electrification, safety critical functions are increasingly carried out by programmable electronic systems rather than mechanical components. The complexity of these systems makes it impossible to fully determine all potential failure modes or to test all possible behavior.

Consequently, the challenge for system engineers is to architect control units in a way that dangerous failures are prevented or at least sufficiently controlled when they occur.

Dangerous failures may arise from:

• Random hardware failure mechanisms
• Systematic hardware failure mechanism
• Software errors
• Common cause failures

Being a challenge for electronic control unit design, these failure modes are also specifically relevant for complex components such as microcontrollers.

Therefore, industry standards such as the upcoming ISO26262 specify four safety integrity levels, each corresponding to a range of target likelihood of failures of a safety function.

Safety concept fundamentals
Freescale, with design experience in dual-core controller technology for safety critical applications, aimed for a holistic safety concept for its latest dual core processor families. Third-party functional safety experts were engaged for monitoring and assessment of concept implementation as well as design processes.

On this basis, the MPC564xL family was developed. Focus was on:

• Measures against single point faults
• Measures against latent faults
• Measures against common cause faults (CCF)

To read the complete article, which describes the fault mitigating architecture, click here, courtesy of Automotive Designline Europe.