Achieving ASIL D for Microcontroller in Safety-Critical Drive-by-Wire System 2009-01-0759

The implementation of drive-by-wire (DbW) systems has become a prevailing issue in automotive industry. The great potential in improving vehicle performance makes this new technology outweigh traditional mechanical controls and linkages. However, it also brings new safety concerns because electronic components are more likely to fail in unpredictable manners. This requires a fault-tolerant approach for electronic systems, especially for the core of these systems – the microcontrollers.

According to ISO 26262, the future international standard for functional safety of E/E systems in road vehicles (classes M, N, O), self-monitoring capability has become a necessity for microcontroller in safety-critical systems, and the highest Automotive Safety Integrity Level (ASIL D) should be achieved. To deal with this problem, several strategies for microcontroller architecture have already been established, among which asymmetric-controller and dual-core controller are the most recommended ones. With respect to ISO 26262, this paper takes a deeper observation on these two strategies in real microcontroller design process, and developed a new architecture from them that would better achieve DbW system safety requirements. This paper also presents an ISO 26262-compliant safety verification flow for microcontroller, and gives valuable suggestions on software implementation to help ensure system functional safety.