Pi Innovo considers the safety and quality of its products to be of paramount importance. The integrity of the product can be considered by assessing the three 'components' which comprise the system.
Systems, rather than software, have a Safety Integrity Level (SIL). The SIL of the customer's resultant system will have to be assessed and defined by their knowledge of the processes used to develop all the components (including those supplied by Pi) comprising the complete system.
The hardware is a production unit (see Section 1.1, “ECU hardware reference documentation” for module environmental specifications). However different applications will have different requirements for output monitoring. Those outputs that are selected (by the customer) to drive safety related outputs should include output monitor circuits. The use of outputs for critical devices which do not contain a monitor feedback is strongly discouraged.
The platform comprises functionality which allows the high level strategy to operate in the specific hardware target (electronic box). It includes:
This suite of software is predominantly hand-coded with some additional auto-coded Simulink models.
OpenECU has been developed using a lean SIL0 process enabling its rapid introduction to the market place. This process included internal review, module testing and considerable vehicle testing. It is considered to be a reliable and robust platform on which to build vehicle control applications.
The configuration of the platform is the customer's responsibility. It is entirely possible, through careless configuration, to 'cross wire' inputs or outputs for example. This could, for example, lead to injector 1 firing when you intended injector 2 to fire. The mis-calibration of analogue inputs could lead to undesired behaviour such as steering angle or accelerator pedal position to be mis-calculated.
Documented vehicle prove out tests should mitigate against this leading to severe outcomes.
The strategy may be developed entirely by the customer, or be a development by the customer of generic libraries supplied by Pi Innovo. In either case the integrity of the resultant strategy model must be the responsibility of the customer.
Pi's generic libraries have been extensively validated via module testing, HIL system testing and vehicle testing but have not undergone unit testing.