Hi people,

I've designed and taken part in the design of Electronic Control Units (ECU) for Renault VI, Mack Trucks, Volvo Trucks for trucks and coaches applications and also PSA (Peugeot cars). I've also defined some busses architectures for trucks, especially in CAN for which I've wrote some implementation recommendations and tested a lot of configurations.

I've seen microcontrollers from 8 to 32 bits. Most were 8 or 16 bits, 32 bits are just incoming on the market due to multimedia applications.
I've seen some ABS/EBS, airbag, air pressure management, clim, heater, gearbox, instrument clusters or retarders systems with 8 bits micros, engine control with 16 bits, and more recently, I've worked on a project with a main system ECU based on a 32 bits ARM7 proprietary Asic. Before that, the main system was a 16 bits ECU.

I've never seen PIC used there. On these projects, I've seen motorola (68hcxxx), very often the C167 from Infineon (it's a beloved chip used by Bosch, VDO, Beriforce, ...).
Sagem has used the Hitachi H8 microcontrollers... It's some examples.

They're not using the new chips for two reasons : first, changing a microcontroller has a high cost. (change the development tools, time to learn the new micro, ...). Next, a constructor is enjoying using a chip which is debugged since many years, largely used in the industry (so low cost), and which has been reliable in the time.

I've never seen RTOS. The ECUs we've designed were using a real time sequencer. The 32 bits ECU had a proprietary RTOS which was more an hardware driver than a RTOS. This choice was done in order to avoid some license costs and to be sure to control the whole code.

Most ECUs have embedded flash for the code.
The communication busses I've encountered are CAN (125 and 250 Kbits/s for vehicle control and 500 kbits/s for multimedia applications), RS485 (J1587 at 9600 bits/s), ISO14230 (KWP2000 for diagnosis 10400 bits/s) and recently LIN. Rob, CAN 1 wire and LIN are different....

Concerning the safety, first of all, the FMEA (Failure Mode Effect Analysis) is done. This is the base of all. Then you know which part of the design should include some protections,detections, mechanical or process improvements according to the criticallity of the functions.
You can refer to my webwite to see how a FMEA is designed.

I've never seen in civilian applications (especially in automotive) any microcontroller redundant structure (generally seen in aeronautic) even in trucks where the life duration is 15 years (against 5 for a car) and 1.7 million of kilometers (against 200 000 for a car) and which could carry some very hazardous goods or be used in very critical environmental constraints.
The safety was generally done by designing some failures detections and protections and by using some industrialization processes like coating and so on... Of course the software has to be compliant with the safety.
Note that when a configuration is designed, it's tested on a simulator with the phycical ECUs. When all security risks have been solved, it's tested on prototype trucks, then it's tested on a range of trucks used by costomers, and then it's massively produced.
Tests are nearly half of the project duration.

I've also worked on military projects as tanks and infantery control armoured vehicles. I could say that the method is strictely the same and that some civilian ECUs are used in these vehicles. This may be acceptable according to the FMEA. The electronic isn't really different for the motion functions. The detection and weapons electronic is very different... It's an other world !

Regards
Stephane