In order to achieve the required safety integrity, the Electronic Control Units of safety-critical systems need to have sufficient redundancy and diagnostics, especially the hardware redundancy. However, hardware redundancy means increasing material costs and development costs. To achieve the balance between cost and redundancy, the N out of M with/without the Diagnostic safety architecture concept is mostly used in the safety-critical system. In this concept, N stands for the available safety function channels, M stands for the overall available function channels and D means safety diagnostic on the hardware. Some typical safety architectures are listed below:1oo1 1oo1D 1oo2 1oo2D 2oo2 2oo2D 2oo3 2oo4D
You could choose the safety architecture for your safety-critical E/E system considering the following factors:The safety integrity level (In the automotive domain, called the automotive safety integrity level) The cost Safety availability Continuous operation capacity after fault detection
1oo1 safety architecture involves a single-channel system. The architecture overview of the 1oo1 is demonstrated in the picture below.
Since there is no hardware redundancy, no additional safety function path is available in the case that faults in the path are detected. Thus the system with 1oo1 safety architecture is a zero-fault tolerant system, which means that a system failure will always and immediately result in the loss of the safety function or shutdown of the system. We call this safety-critical system as the fail-safe system. I will prepare another blog to have a look at the fail-safe system in detail(fail-safe,fail-operational, fail-secure system). Due to no diagnostic of the controller itself available, the safety integrity capacity of E/E system with this design is very low, thus it is normally designed for low-level safety integrity applications. In the case of the applications in the automotive domain, the maximum ASIL ratings of the E/E systems with 1oo1 safety architecture are ASIL B. The typical applications of the E/E system with this architecture in the automotive domain are the instrument cluster controller and the headlight controller.2- 1oo1D To increase the safety integrity capacity of the E/E system with 1oo1 safety architecture, the 1oo1D safety architecture adds additional diagnostic controllers(simple controller or ASIC) for self-testing of the main controller. The overview of 1oo1D safety architecture is demonstrated in the picture below.
If such a system is required for a higher safety integrity level like ASIL C or ASIL D, 1oo1D safety architecture is could be used as the applied concept of automatic failure diagnostics by a separate safety processor or ASIC.
If you are the functional safety engineer working in the automotive domain, I think you must know the E-gas three-level monitoring concept. The E/E systems with 1oo1D safety architecture are the hardware basis for monitoring concept.
The typic design of the system with 1oo1D safety architecture is the Engine Control Unit, Vehicle Control Unit or HybridControl Unit.
Same as the system with 1oo1 safety architecture, the system with 1oo1D is also zero-fault tolerant system, fail-safe system, which means that a system failure will always and immediately result in the loss of the safety function or shutdown of the system. 3- 1oo2
The 1oo2 safety redundancy architecture is developed to improve the safety integrity performance of safety systems with1oo1 safety architecture. The overview of the1oo2 safety architecture is demonstrated in the picture below.
For the system with 1oo2 architecture, If one channel fails in a dangerous mode, the other one is still able to fulfill the safety function.
The 1oo2 concept has an excellent performance with regard to safety integrity, but its availability performance is not fault-tolerant.In order to combine the advantages of the 1oo2 and 2oo2 safety architecture, a new safety architecture concept was designed called 1oo2D. The overview of the 1oo2D safety architecture is demonstrated in the picture below.
Comparing to the 1oo2 safety architecture, the diagnostic controller(simple controller or ASIC) is added to each channel for self-testing. For the system with 1oo2D architecture, a single, automatically detected failure will not immediately lead to loss of the safety function, but the affected channel will be isolated, and system operation could continue through the healthy channel. 1oo2D systems are therefore often said to achieve the safety levels of a 1oo2 system and the availability levels of a 2oo2 system
5- 2oo2 / 2oo2D
The major disadvantage of a single-channel (i.e. non-redundant) safety system is that a single failure in a safety mode immediately results in the safety functions. Thus, Duplication of the channels of 1oo1/1oo1D systems to the application of the 2oo2 safety architecture. It significantly increases the system availability since both channels must fail in a safe mode before the system will shut down the safeguarded process. So, the 2oo2/2oo2D architecture has higher availability than the 1oo2 or 1oo2D architecture and has less safety integrity than 1oo2 or 1oo2D architecture.
The following picture demonstrates the overview of a 2oo2D system. 
6- 2oo3 In the system with 2oo3 safety architecture, there are three channels, two of which need to operate healthy in order to fulfill the safety functions. This voting concept is therefore also one-fault-tolerant for safety.
The typical applications of this safety architecture are the EPS system and the safety-critical control system in the aviation field(BothBoeing and Airbus use 2oo3 safety architecture with diversity design in its safety-critical systems). The following picture shows the architecture of Nissan Digitizes Steering system. You could find 3 separate controllers are used.
The 2oo3 voting principle is best applied if there is a clear and thorough physical separation of the microprocessors. However, this doesn't require them to be located on three different modules, which results in a 'heavily equipped' hardware system. From the picture above, it is obvious that the Nissan Digitizes Steering system looks like used a heavily equipped hardware system.7- 2oo4D
2oo4D safety architecture is characterized by a two-fault-tolerant, two-level system. Redundant Central Parts each contain two main processors, and since only two modules are used to achieve quadruple redundancy, the probability of common-cause failure is even further reduced compared to other safety architectures mentioned above. The following picture shows the architecture of 2oo4D syste
Besides the safety architectures mentioned above, there are also have other safety architectures for the safety-critical system available on the market. For example, in the field of manned spaceflight, the safety-critical system(Manned spacecraft or space shuttles)uses 5 redundant channels in its architecture. Those systems require high safety and reliability but are not for mass production to the commercial market. That is why those systems care much more safety integrity and reliability than the cost.Keep tuned   !!! [1] Standardized E-gas Monitoring concept for gasoline and Diesel engine control units [2] 2oo4D: A New Design Concept for Next-Generation Safety Instrumented Systems
[3] https://www./features/a15116750/electric-feel-nissan-digitizes-steering-but-the-wheel-remains-feature/
功能安全沙龍 is used as a Wechart Public Account for the technical sharing platform on the following topics :
- Cyber-security/J3061 or ISO-21434
- Powertrain Control of PHEV and EV
- ADAS or ADS or AD vehicles
If you are interested in those topics, please subscribe to WeChat public account by scanning following Q-R code below:
|
