Functional Safety Analysis and Embedded Safety Mechanisms Implementation for ASIL C Automotive Actuator

Nowadays functional safety is increasingly pervading many industrial applications due to a continuously growing attention on how technology impacts society. Systems are always asked to be faster and stronger with respect to to their predecessors, to obtain more efficient and comfortable overall behaviour of the final product. According to this, modern electronic actuators have much more control on the surrounding mechanical parts, thus requiring particular attention on the action they are allowed to perform. In the automotive field, the ISO 26262 regulates the design processes needed to develop systems with a reduced risk of harming people. In particular, the norm focuses on the safety measures needed to bring the potential high risk of an item under a predefined threshold. Depending on the estimated risk of the overall system, an Automotive Safety Integrity Level (ASIL) is defined by the car maker and applied by the suppliers to each item that can contribute to that overall risk. According to the selected ASIL, the design processes can be monitored with stricter or softer instruments, and the embedded implementation could require a vast spectrum of hardware and software countermeasures to limit the effects of runtime faults thus maintaining the system in a safe state. In this scenario, the thesis work will focus on the implementation of software safety mechanisms on a Aurix(TM) TC36x dual core microcontroller unit (MCU), embedded in an automotive actuator with ASIL C requirement. The algorithms will verify the health of the many peripherals of the MCU and will need to promptly react in case a fault is detected during real-time operations. While a complete set of possible mechanisms are already provided by the MCU manufacturer to be used in applications up to ASIL D, an extensive analysis will be needed to verify the effectiveness of each safety mechanism for the target application, to limit the CPU load to the minimum needed thus ensuring the proper functionality of the overall actuator.