Functional Safety is key to ensure that products operate safely — and even if they fail, they are still capable of entering in a controlled safe operation mode. Let’s say you want to make a left turn using your electrical power steering and the control unit malfunctions. With Functional safety and enough redundancies, the car will give you degraded assistance in the steering to move it in a safe place.
Think about the modern car. It’s more complex than ever, with increasing electronics and millions of lines of code running it. As our car becomes more automated, the complexity will continue to rise.
It makes functional safety even more important to automakers. They can’t choose to ignore it.
Today, vehicles operate with a traditional fail-safe engine control unit architecture. This detects the fault, transitions the system to safe state but at the end, the driver is still able to take back the control of the vehicle.
Gradually, as electronic systems evolve to Levels 4 and 5, the dependence on the driver diminishes as the vehicle has sufficient redundancy and diversity to continue full operation despite the detection of a fault.
System failure prevention: from fail-safe system architectures
In a fail-safe architecture, the power supply delivers and monitors over- and under-voltage to the microcontroller and the other peripherals. It is also in charge of sensing and evaluating the MCU safety operation through the watchdog and HW Error monitoring functions. If a fault is detected, the system goes into safe state (driven by the safety power supply) which guarantees that the function is maintained in a known and defined state (not uncontrolled).
To fail-operational system architectures: How do they work?
As vehicles move beyond the first levels of automation, new fail-operational system architectures are required to add more functionality to the vehicle. Fail-operational systems guarantee the full or degraded operation of a function even if a failure occurs. In this instance, the target applications are characterized as needing high-performance, a high level of safety integrity and a high level of availability. The fault detection and reaction is controlled by independent hardware since a fail-operational system includes minimum two fail-silent units. To remove common cause failures, even the supply is ensured by redundant and independent batteries (VBAT1 and VBAT2).
Depending on the SAE level targeted by the car maker, the backup function can
be used for several seconds, to several minutes. For Level 3 of automation,
the driver is informed by the system that there is a failure and to take back
the control of the vehicle. Starting at L4, the driver is no more informed of
a fault, so the robot (car) will most likely park the vehicle in a safe area
for the occupants of the vehicle and the other road users. As such, NXP is
capable of providing functional safety systems that are more and more advanced
and therefore more reliable and effective than ever before. Safety
architectures and system design aim to enable full redundancy to facilitate
higher levels of autonomous driving and fault tolerance in the case of
failure.
Jean-Philippe joined NXP in 1999. He holds a Master degrees in Micro-Electronics. With a career in the electronics and semiconductor business focused in the Automotive market, he has held various positions in product engineering, program management, system and safety architect and more recently system and safety solution manager. He is now ADAS Segment Manager for the Advanced Power System Product Line at NXP.
