Still, this doesn't account for the case where the CPU and the watchdog signal is working, but the algorithm isn't. Pure software malfunctions, have happened on commercial airliners, where there are quite stringent FAA requirements regarding how the software is developed and maintained. So it wouldn't be surprising if it happens in automotive systems, where you might not have the redundancy of multiple CPUs running concurrently.
I'm not sure if automotive systems are held to any certification standards. Maybe someone working in this field could answer that?
I'm not sure if automotive systems are held to any certification standards. Maybe someone working in this field could answer that?