400 Commonwealth Drive, Warrendale, PA 15096-0001 U.S.A. Tel: (724) 776-4841 Fax: (724) 776-0790 Web: www.sae.org SAE TECHNICAL PAPER SERIES 2007-01-1489 SIL2 and SIL3 ECU – Safety Controller for Off-Highway Christiana Seethaler and Lukas Silberbauer TTTech Computertechnik AG Reprinted From: Safety -Critical Systems, 2007 (SP-2121) 2007 World Congress Detroit, Michigan April 16-19, 2007 Downloaded from SAE International by Univ of California Berkeley, Saturday, July 28, 2018By mandate of the Engin eering Meetings Board, th is paper has been approved for SAE publication upon completion of a peer review process by a minimum of three (3) industry experts under the supervision of the session organizer. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise,without the prior written permission of SAE. For permission and licensing requests contact: SAE Permissions 400 Commonwealth DriveWarrendale, PA 15096-0001-USAEmail: [email protected]: 724-776-3036Tel: 724-772-4028 For multiple print copies contact: SAE Customer ServiceTel: 877-606-7323 (inside USA and Canada)Tel: 724-776-4970 (outside USA)Fax: 724-776-0790Email: Customer [email protected] ISSN 0148-7191Copyright © 2007 SAE InternationalPositions and opinions advanced in this paper are those of the author(s) and not necessarily those of SAE.The author is solely responsible for the content of the paper. A process is available by which discussions will be printed with the pap er if it is publishe d in SAE Transactions. Persons wishing to submit papers to be considered for presentation or publication by SAE should send themanuscript or a 300 word abstract of a proposed manuscript to: Secretary, Engineering Meetings Board, SAE. Printed in USADownloaded from SAE International by Univ of California Berkeley, Saturday, July 28, 2018ABSTRACT Electronically controlled safety-critical functions are becoming more and more prevalent in the off-highway industry (construction, agricultural or forestry machinery etc). Failures of such safety-critical functions may cause serious injury or death to people. Therefore, product safety and liability are becoming increasingly important for all OEMs in this industry. Currently, IEC 61508 [1] is considered the state-of-the-art standard for the development of safety-critical systems. Safety integrity levels (SIL) 2 and 3 are the most common levels required by off-highway applications. This paper shows a scalable architecture with a single ECU type that allows fulfilling both SIL2 and SIL3 requirements: A 1oo1D architecture (single ECU) will be used for systems with SIL2 requirements, a 1oo2D architecture for SIL3 requirements. In the 1oo2D variant two redundant ECUs exchange data over a time-triggered protocol. Due to this scalability the controller is suited for the majority of safety-critical applications in the off-highway industry. INTRODUCTION The use of electronics in off-highway vehicles has grown exponentially over the last decades, as electronics from the automotive industry were steadily adapted for the harsh environment in the off-highway industry [2].Originally the driving factors for the increase in electronics were emission regulations. Electronically controlled engines had to be introduced in order to meet the increasingly strict allowable emissions levels .Once ECUs were onboard the vehicle, manufacturers began to use electronics to optimize and integrate many vehicle subsystems for coordinating different components to work more efficiently together and for improving overall control over the vehicle implements. And the amount of electronics and the number of ECUs continue to grow. Ever since electronics were introduced in off-highway-vehicles, safety concerns were raised: While mechanic and hydraulic components (like steering rod, hydraulic cylinders) are considered safe if