Industrial ECU (IEC 61508)


We receive many enquiries from organisations that need to develop products in compliance with international safety standard IEC 61508.

As an example of the type of design solution that we use in such products, we explore – in outline – several potential designs for a general-purpose industrial ‘Electronic Control Unit’ (ECU) on this page. 

Such an ECU may serve as a control and / or monitoring system in a range of industrial settings (including off-road vehicles).

The solution presented here are all based on a ‘Time Triggered‘ (TT) software architecture.

[This page was last updated: 2021-01-22]
empty_space

empty_space

Developing a ‘SIL 2’ ECU (based on a single microcontroller)

empty_space

empty_spaceWe start by considering an ECU design that is capable of meeting ‘SIL 2’ requirements: this design is based on a single microcontroller.

The figure below gives an overview of the CorrelaTTor® software platform (we pronounce it ‘correlator’) that we would typically employ as the basis of such a design.

empty_space

empty_space

In a CorrelaTTor platform, a single processor is employed with internal monitoring (using MoniTTor® and PedicTTor® components).

Further information about the CorrelaTTor platform is provided on our Technology page.

The combination of an ‘SIL 2’ microcontroller and CorrelaTTor software can provide a highly-effective means of meeting the requirements of IEC 61508 (up to ‘SIL 2’).  Such processors include the ST® STM32F4 devices. 

Numerous low-cost prototyping boards are available for this family of MCUs.

empty_space

empty_space

Developing a ‘SIL 3’ ECU (based on two low-cost microcontrollers)

empty_space

empty_spaceWhere required, we can extend the design outlined above in order to meet ‘SIL 3’ requirements by adding a second low-cost microcontroller and using a DuplicaTTor® (‘duplicator’) software platform.

The figure below gives an overview of a DuplicaTTor platform.

empty_space

empty_space

In a DuplicaTTor platform, two processors are employed (with cross-checks between them). For example, the combination of two ‘ASIL B’ microcontrollers and DuplicaTTor software can provide an effective means of meeting the requirements of ISO 26262: 2018 (up to ‘ASIL D’).

Two STM32F4 devices could be used as the basis of such a design: for example, our DEB-0405 board (based on two STM32F405 MCUs) provides an effective protototyping platform.

Use of a dual-MCU design may also simplify the process of meeting the requirements of related safety standards such as ISO 13849. 

Where high levels of performance are required, MCUs such as those from the STM32H7 family can be used in such designs: the figure below shows a prototype based on this platform.

 

Further information about the DuplicaTTor platform is provided on our Technology page.
empty_space

empty_space

Developing a ‘SIL 3’ ECU (based on a single microcontroller)

empty_space

empty_spaceWe can also – where required – develop an ECU design that is capable of meeting ‘SIL 3’ requirements based on a single microcontroller.

Again, this will use a CorrelaTTor software platform.

empty_space

empty_space

In this case, we require a microcontroller that has been designed to meet ‘SIL 3’ requirements. 

One possible example is the TC3xx family from Infineon®.

Such a design could (for example) be prototype on the cost-effective ShieldBuddy 375 board from Hitex®.

 

The TC3xx family of devices have multiple cores (all of which can be supported by the DuplicaTTor software platform) and can meet the performance requirements of a wide range range of industrial designs. 
empty_space

empty_space

Does your design require ‘Fail Safe’ or ‘Fail Operational’ behaviour? 

A key question that may arise during the early stages of developing an ECU design is whether the system is required to support ‘fail safe’ or ‘fail operational’ behaviour. 

  • A fail-safe design will shut down if a significant fault (that is, a fault that may prevent the system from continuing to operate safely) is detected during normal operation.
  • A fail-operational design will continue to operate (possibly in a ‘limp home’ or similar mode) if a significant fault is detected.

In the designs outlined above, fail-safe behaviour is assumed, but DuplicaTTor platforms (in combination with appropriate MCU targets) also provide a highly-effective platform for a wide range of fail-operational designs, as outlined in the figure below.

empty_space

empty_space