In September 2006 the US government mandated that vehicle stability control be required on all future cars. In making the announcement, the National Highway Traffic and Safety Administration (NHTSA) cited its analysis showing conclusively that cars equipped with stability control are 35 percent less likely to be involved in a collision. Electronic stability control is expected to cause an approximately 43 percent reduction in overall fatal accidents and a 56 percent reduction in single-vehicle fatalities.

Even before the US government's mandate, worldwide fitment rates for electronic stability control were projected to grow from 21 percent in 2006 to 35 percent in 2012 (CAGR of 12.5%). Brake-by-wire fitment rates were projected to grow from less than 1 percent in 2006 to 5 percent in 2012 (CAGR of 36.4%).

For any major functional automotive system, electronic chassis management can be an appealing, yet elusive goal for a number of reasons (not the least of which are safety and reliability). However, there is no lack of strict definition in terms of the challenge's safety requirements. These terms are well-defined by an International Electrotechnical Commission (IEC) standard for functional safety of electrical/electronic/programmable electronic (E/E/PE) safety-related systems. Currently, IEC 61508 is considered the state-of-the-art standard for the development of safety-critical systems. Even if the standard is not yet legally enforced fully, automotive system designers are expected to comply with this "state of technology" standard. An automotive systems designer has to consider the entire signal chain, from input sensors through to digital processing and actuators, when building functional safety into applications.

Figure One: Functional safety in an overall system that depends on equipment operating correctly in response to its inputs.

IEC 61508 describes the process of "hazard" and "risk analysis" as part of the system design and defines "functional safety" of an Electronic Control Unit, for instance, as "part of the overall safety that depends on a system or equipment operating correctly in response to its inputs." Each safety function of a system gets assessed in regard to its "requirements" (what the function is supposed to do) and its "integrity" (how likely the function is to perform satisfactorily). The norm furthermore classifies the occurrence probability of a dangerous failure in a safety function "operating in high demand or continuous mode of operation" into four different "Safety Integrity Levels" (SIL). Each level covers a range of acceptable failure rates, or, in other words, the target "Mean Time To Failure" (MTTF), where SIL4 is the most strict. SIL ratings are applicable to many industries (not only automotive) and the definition of each SIL rank is domain dependent. The safety integrity levels SIL2 and SIL3 are the most common levels required by off-highway applications.

Depending on their function and their importance to safety, automotive systems are subject to either SIL2 or SIL3 certification as defined by the IEC 61508 standard. This multilevel, statistical representation of a self-instrumented system's reliability requires a "Safe Failure Fraction" (SFF) of 99 percent and a reliability performance metric calculated as the ratio between detected dangerous failures (including nondangerous failures) and all failures. The "Diagnostic Coverage" (DC) is defined as the detected dangerous failures over dangerous failures. The DC is also expected to reach 99 percent in safety-critical automotive systems.

SIL3 certifications for automotive systems are usually conferred on the basis of the performance of the electronic control unit (ECU) that controls the mechanical system it actuates. For automotive systems, ECU evaluation and SIL3 certification is managed by independent safety assessment organizations such as Technischer Uberwachungsverein (TUV) Rheinland, an international service group that documents the safety and quality of products, systems and services.

A mission-critical, integrated mechanical system (such as brakes) can not yet be entirely replaced by electronics. But the high levels of safety required for any SIL3 certification—mechanical or electronic—are attained by using redundant systems; and electronic systems can help widely implement redundancy.