Automotive safety has improved over the years, not just from government mandates but from customer preferences for safer cars as well. As the modern car incorporates automotive electronics to a greater and greater extent, clearly the "safety" of not just safety-specific systems is becoming more and more important. The aerospace industry has been using fly-by-wire systems for many years now, but does not face the same level of price pressure that the automotive industry is under. Several aeronautical systems often use redundancy, sometimes even up to quadruple redundancy, for specific systems.
The automotive industry sets its own challenge. It must meet similar levels of robustness without increasing the cost of the vehicle. It is up to the Tier-Ones and their suppliers to come up with innovative and new solutions to solve the problem of uncompromising safety at a competitive price.
In 1998 the International Electrotechnical Commission (IEC) published the 61508 standard. Such a document contains requirements so as to minimise the failures in electronic systems. The standard gives several definitions of system integrity level or SIL. Applications and systems are classified by the probability of a dangerous failure arising per hour as follows:
One FIT (failure in time) is equivalent to a dangerous failure per hour of 10-9
. Thus a full system must work within a safety budget with devices where the total accumulation of FIT figures leads to the SIL level characterisation.
Determining the level of safety (SIL level) that is required in an application is by no means an easy task. Clearly the critical systems of an airplane require at least SIL3 compliance and in some cases SIL4. In a car it is less obvious. There are examples such as steer-by-wire or brake-by-wire which clearly require a high level. There are several tools offered to analyse the required SIL level for a system and it is not the intent of this article to assign SIL requirements for different system. Suffice to say that there are safety critical systems in the car today which have to be considered.
Obviously the steering and braking systems are of paramount importance, but how critical is the lighting system of the car or for that matter the windshield wipers? On a rainy day, then, what FIT rate is acceptable for the system controlling one’s wipers? It is becoming less and less of a question of which systems are safety related and more a question of are there any systems which are not?
Most electronic systems in today’s cars reside on a controller area network (CAN) bus or a local interconnect network (LIN) sub-bus (see below). This prompts further questions of how any error on a non critical application, such as the GPS navigation, can propagate to another system, such as the door module or another critical application. Thus, should every system in the car have a minimum of an SIL2 rating?
High speed CAN bus networking is used to connect fast acting systems such as engine and power train controls, as well as active suspensions.
View a full-size image
It is certain that as the body computers (see below) incorporate more and more functions, the focus on the SIL rating of these applications will become more intensive. There are examples of OEMs incorporating steering wheel locks into the gateway or bus control unit (BCU). It is clear that if the steering wheel locks due to a fault in the system then results could be catastrophic, leading some BCU systems down the road of requiring SIL3 status.