- Mon Aug 12, 2024 2:39 pm
#69197
As an example, for an ETB controller, an MPC5744 with a safety supervisor, can meet IS0-26262 ASIL level D which is the highest level there is is and is required for ETB engines with an auto trans.
PSIG wrote: ↑Fri Dec 11, 2020 6:57 pmThe Space Shuttle was designed in the 1970s, now we have processors that support functional safety. Lockstep processors with EC memory and buses and fail safe clock switching is the norm, it must be 10 years since I saw a safety design that had more than one processor, other than a smaller 'limp mode' processor.fram wrote: ↑Fri Dec 11, 2020 5:32 pm3 µC in the same design.... it's a strange design. Maybe there is one too many, no?On most systems with onboard DBW I've seen I have found at least 4 independent processors, 3 for DBW only, and more for everything else. This is a redundant safety system similar to the Space Shuttle guidelines, that if all 3 agree you're fine, but if one does not agree it goes to "limp" mode and if none agree it is full shutdown (which one is right?).
As an example, for an ETB controller, an MPC5744 with a safety supervisor, can meet IS0-26262 ASIL level D which is the highest level there is is and is required for ETB engines with an auto trans.