Safety mechanisms for random ECU hardware failures in compliance with ISO 26262

Abstract

The increasing complexity of today's automotive electronic systems makes it challenging for manufacturers to ensure a high safety level in their vehicles. As a response, the ISO 26262 functional safety standard will be introduced for heavy-duty vehicles in 2018. Therefore, the hardware and software solutions developed by Volvo Group Trucks Technology will need to be adapted to comply with this standard. In addition to an analysis of ISO 26262, this thesis provides a case study of how the Volvo Engine Brake (VEB) can be adapted to comply with the standard. The analysis is focused on the electronic hardware of the engine control unit, and examines various safety mechanisms to improve the current system. The hazard of unwanted activation of the engine brake function is estimated to have ASIL C - the second most critical safety level. To comply with the requirements of ASIL C, the peripheral circuits of the engine brake should include both low and high-side MOSFET switches. Although a hardware-based diagnosis solution for actuator failures is presented, the study shows that a software-based safety mechanism is sufficient, which reduces the amount of extra hardware required. Additionally, if the inputs to the engine brake application are considered to be safety critical in a full evaluation, redundant sensors are required to meet the targets for ASIL C. A number of the solutions proposed in the concept for compliance with the standard are implemented and verified through a prototype.