Abstract
This paper discusses the 2-out-of-3 hot standby electronic control unit (HECU), which has a characteristic of fault tolerance, from a viewpoint of functional safety. Firstly, the logic of malfunctioning-events caused by the HECU is modeled by use of state-transition diagrams. Next, malfunctioning-event rates are formulated based on the diagrams by taking independent-dangerous and common-caused-dangerous failures of HECU, as well as the demands on the HECU into account. Then, the relationship between the operational time, i.e., the duration in which the motor vehicle could be driven under the normal or degraded HECU, and the malfunctioning-event rate is analyzed. Thus, it is concluded that the approach presented by this paper is useful for the functional safety assessment of HECU.
