SIL2 and SIL3 ECU - Safety Controller for Off-Highway

Electronically controlled safety-critical functions are becoming more and more prevalent in the off-highway industry (construction, agricultural or forestry machinery etc). Failures of such safety-critical functions may cause serious injury or death to people. Therefore, product safety and liability are becoming increasingly important for all OEMs in this industry. Currently, IEC 61508 [1] is considered the state-of-the-art standard for the development of safety-critical systems. Safety integrity levels (SIL) 2 and 3 are the most common levels required by off-highway applications.

This paper shows a scalable architecture with a single ECU type that allows fulfilling both SIL2 and SIL3 requirements: A 1oo1D architecture (single ECU) will be used for systems with SIL2 requirements, a 1oo2D architecture for SIL3 requirements. In the 1oo2D variant two redundant ECUs exchange data over a time-triggered protocol. Due to this scalability the controller is suited for the majority of safety-critical applications in the off-highway industry.