Automotive functional safety: The evolution of fail safe to fail operational architecture

Automotive functional safety: The evolution of fail safe to fail operational architecture

Functional Safety is key to ensure that products operate safely — and even if they fail, they are still capable of entering in a controlled safe operation mode. Let’s say you want to make a left turn using your electrical power steering and the control unit malfunctions. With Functional safety and enough redundancies, the car will give you degraded assistance in the steering to move it in a safe place.

Think about the modern car. It’s more complex than ever, with increasing electronics and millions of lines of code running it.  As our car becomes more automated, the complexity will continue to rise.

It makes functional safety even more important to automakers. They can’t choose to ignore it.

Today, vehicles operate with a traditional fail-safe engine control unit architecture. This detects the fault, transitions the system to safe state but at the end, the driver is still able to take back the control of the vehicle.

Gradually, as electronic systems evolve to Levels 4 and 5, the dependence on the driver diminishes as the vehicle has sufficient redundancy and diversity to continue full operation despite the detection of a fault.

System failure prevention: from fail-safe system architectures

In a fail-safe architecture, the power supply delivers and monitors over- and under-voltage to the microcontroller and the other peripherals. It is also in charge of sensing and evaluating the MCU safety operation through the watchdog and HW Error monitoring functions. If a fault is detected, the system goes into safe state (driven by the safety power supply) which guarantees that the function is maintained in a known and defined state (not uncontrolled).

To fail-operational system architectures: How do they work?

As vehicles move beyond the first levels of automation, new fail-operational system architectures are required to add more functionality to the vehicle. Fail-operational systems guarantee the full or degraded operation of a function even if a failure occurs. In this instance, the target applications are characterized as needing high-performance, a high level of safety integrity and a high level of availability. The fault detection and reaction is controlled by independent hardware since a fail-operational system includes minimum two fail-silent units. To remove common cause failures, even the supply is ensured by redundant and independent batteries (VBAT1 and VBAT2).

Depending on the SAE level targeted by the car maker, the backup function can be used for several seconds, to several minutes. For Level 3 of automation, the driver is informed by the system that there is a failure and to take back the control of the vehicle. Starting at L4, the driver is no more informed of a fault, so the robot (car) will most likely park the vehicle in a safe area for the occupants of the vehicle and the other road users. As such, NXP is capable of providing functional safety systems that are more and more advanced and therefore more reliable and effective than ever before. Safety architectures and system design aim to enable full redundancy to facilitate higher levels of autonomous driving and fault tolerance in the case of failure.

Jean-Philippe Meunier
Jean-Philippe Meunier
Jean-Philippe Meunier joined NXP in 1999. He holds a Master degrees in Micro-Electronics. With a career in the electronics and semiconductor business focused in the Automotive market, he has held various positions in Product Engineering, Program Management, Application and System Architect. He is now Global Functional Safety Architect for the Safety & Power Management Product Line at NXP.

Comments are closed.

Buy now