ASIL-B/C Redundancy & Diagnostics: Sensor MCU Safety Guide

Why Functional Safety Matters Now

With accelerating ADAS and autonomous driving development, ISO 26262 implementation—especially for ASIL-B/C systems—is essential. This guide covers practical redundancy and diagnostic mechanisms for automotive sensors and MCUs.

Understanding ASIL Classifications

ISO 26262 defines Automotive Safety Integrity Levels (ASIL) as risk classifications determining required safety measures. Four levels exist—A, B, C, and D—with D being highest.

ASIL-B systems include:

• Rear lighting
• Body control modules
• Non-critical sensor clusters

ASIL-C systems include:

• Electronic stability control
• Advanced braking
• Steering assistance
• Critical sensor fusion

ASIL-B/C distinction significantly impacts redundancy and diagnostic requirements.

Automotive MCU Safety Features

Safety-rated MCUs incorporate hardware mechanisms that continuously detect faults during runtime.

Core MCU Safety Mechanisms

CPU Self-Test

Modern MCUs implement:

• Lockstep cores: Dual cores execute identical instructions; comparator checks outputs (>99% coverage).
• BIST: Periodic test patterns verify CPU registers, ALU, and instruction decoder.
• Program flow monitoring: Hardware checks execution sequences via watchdog timers.

Memory Protection

Critical protections include:

• ECC: ASIL-C requires SECDED for RAM and flash.
• Memory partitioning: Hardware separation between safety and non-safety functions.
• Address parity: Detects addressing errors.

Clock and Supply Monitoring

• Voltage monitoring: Triggers safe states before voltage excursions.
• Clock monitoring: Detects loss or frequency deviation.
• Temperature monitoring: Prevents out-of-spec operation.

Sensor Redundancy for ASIL-B/C

Redundancy design depends on function criticality and ASIL level.

Redundancy Patterns

Homogeneous Redundancy

Multiple identical sensors:

• Dual-sensor: Two sensors with voting; common for ASIL-B.
• TMR: Three sensors with majority voting; often required for ASIL-C.

Challenge: common-cause failures affecting all sensors.

Heterogeneous Redundancy

Different technologies measuring the same parameter:

• Radar and vision for object detection
• Accelerometers and gyroscopes for motion
• Magnetic and optical position sensors

Increases complexity but improves systematic failure coverage.

Analytical Redundancy

Mathematical models estimate sensor values:

• Vehicle dynamics models predict readings
• Fusion algorithms detect outliers
• Trend analysis identifies degrading sensors

Effective for cost-constrained ASIL-B systems.

Diagnostic Coverage Requirements

ISO 26262 defines diagnostic coverage (DC) as detected faults ratio.

Coverage Targets

• ASIL-B: 90% single-point, 60% latent faults
• ASIL-C: 97% single-point, 80% latent faults

Sensor Diagnostics

Plausibility Checks

• Range checking: Verifies physically possible bounds
• Gradient monitoring: Detects impossible rapid changes
• Cross-correlation: Validates against related measurements

Electrical Diagnostics

• Open/short detection: Test currents identify wiring faults
• Stuck-at detection: Identifies constant outputs
• Supply monitoring: Verifies voltage and current

Communication Diagnostics

For SPI, I2C, or CAN sensors:

• CRC checking: Detects data corruption
• Sequence validation: Identifies missing messages
• Timeout monitoring: Detects failures
• Alive counter: Verifies firmware execution

MCU Diagnostic Implementation

Software diagnostics complement hardware mechanisms.

Software Diagnostics

Periodic Self-Tests

• RAM testing: March algorithms detect faults; time-sliced execution.
• Flash integrity: CRC verification at startup and periodically.
• Peripheral diagnostics: Loopback tests, ADC verification, timer checks.

Execution Flow Monitoring

• Function monitoring: Verifies expected sequences
• Timing supervision: Ensures deadline compliance
• Stack monitoring: Detects overflow

Data Flow Monitoring

• Range checking: Validates variable bounds
• Redundant storage: Maintains checksums
• Write protection: Prevents unintended modifications

Practical Implementation Considerations

Balancing Safety and Performance

Diagnostics impact performance:

• Hardware mechanisms consume area and power
• Software diagnostics need CPU and memory
• Redundant sensors increase cost and complexity

Optimize by:

• Prioritizing via FMEA
• Time-slicing non-critical tests
• Using hardware acceleration
• Selecting appropriate MCUs

Fault Reaction and Safe States

Systems must transition to safe states:

• Safe state: Varies by application—maintain state, shutdown, or degraded mode.
• Reaction time: FTTI drives diagnostic frequency.
• Communication: Inform other components of faults.

Documentation Requirements

ISO 26262 requires:

• Safety analysis: FMEA, FTA, DFA
• Safety case: Demonstrate goal achievement
• Verification: Test evidence
• Metrics: DC, SPFM, LFM calculations

Future Trends

AI/ML Integration

• Runtime neural network monitoring
• Traditional algorithm verification
• Distribution shift detection

System Complexity

• SOTIF for beyond-standard scenarios
• ISO/SAE 21434 cybersecurity
• Multi-core platform partitioning

Standard Evolution

• 2018 edition added semiconductors/motorcycles
• Addressing autonomous driving, OTA updates
• Application-specific guidelines

Conclusion

ASIL-B/C implementation requires:

• Rigorous safety analysis
• Appropriate redundancy selection
• Comprehensive diagnostics
• Thorough documentation
• Systematic validation

Master these fundamentals to deliver safe automotive sensor and MCU designs meeting ISO 26262.