As I have worked in the Automotive Engineering Service Field for 4 years(5 years OEM experience+ 4 years automotive engineering service), serveral functional safety engineers of my customers told me that they need their Hybrid Control Units have the fail-operational capability when they are doing the functional safety development.  It took me a lot of time to explain why it make no sense to do fail-operational concept for a fail-safe system. Today, let us have a look at them.

There are a lot of system safety concepts existing on the market for different safety purposes like human safety,finance safety, data safety，equipment safety… .  I tried to list some of them below, but only th safety concept used in the automotive industry will be addressed this blog today:

·       Fail-safe

·       Fail-passive

·       Fail-tolerant

·       Fail-operational

·       Fail-secure

·       Fail-deadly.

 An example for the fail-safe concept applications in automotive field is the Engine Control Unit, it can fail, and as long as it stops the engine and alerts the driver, it will not lead to accident which could threaten the loss of people's life or injury perple as its safety interval is long enough to permit the driver or other participants response correctly.  This means that by going into a safe mode via loss of the functions or deactivating the systems in case of any safety-related faults are detected, the fail-safe system could ensure that the people in the control loop or involved in the hazard events could control or migitate hazard within the safety time interval.Following the same safety concept, the Hybrid Control Unit or Vehicle Control Unit, Transmission Control Unit are also designed to be fail-safe.

Fault-tolerant safety concept is used for the systems which avoid service failure when the system recognizes that it is receiving the wrong information.An example may include control systems for ordinary nuclear reactors. The normal method to tolerate faults is to have several computers continually test the parts of a system, and switch on hot spares for failing subsystems. As long as faulty subsystems are replaced or repaired at normal maintenance intervals, these systems are considered safe. Interestingly, the computers, power supplies and control terminals used by human beings must all be duplicated in these systems in some fashion.Fail-operational safety concept is used for the systems which continue to operate when one of their control systems fail.Examples of these include elevators,the gas thermostats in most home furnaces, and passively safe nuclear reactors. Nuclear weapons launch-on-loss-of-communications was rejected as a control system for the U.S. nuclear forces because it is fail-operational:  a loss of communications would cause launch, so this mode of operation was considered too risky.For the ADAS systems or AD systems in the automotive field, fail-operational safety concept could be required in case that some functions failed while the safety interval is not long enough to ensure driver take over the vehicle in time. Another typical application in automotive field of fail-operational safety concept is the EPS system. It will keep providing the steering assistance in case that one of the safety-related components or elements of the system is failed. That is because that the driver or other person involved in the hazard event couldn't handle the malfuction behavior of the EPS correctly within the safety time interval.

5-  Reference