Design and Quantitative Evaluation of a Novel FlexRay Bus Guardian

Similar documents
FlexRay International Workshop. Protocol Overview

Sharif University of Technology, Tehran, Iran

Institutionen för datavetenskap Department of Computer and Information Science

FlexRay and Automotive Networking Future

ISO INTERNATIONAL STANDARD. Road vehicles FlexRay communications system Part 2: Data link layer specification

16 Time Triggered Protocol

Flexray Protocol in Automotive Network Communications

Field buses (part 2): time triggered protocols

An Encapsulated Communication System for Integrated Architectures

An Introduction to FlexRay as an Industrial Network

FlexRay. Requirements Specification. Version 2.1

Distributed Embedded Systems and realtime networks

Time-Triggered Ethernet

Comparison of In-Vehicle Communication Protocols for Critical Applications

Fault Effects in FlexRay-Based Networks with Hybrid Topology

Chapter 39: Concepts of Time-Triggered Communication. Wenbo Qiao

A Reliable Gateway for In-vehicle Networks

Mixed-Criticality Systems based on a CAN Router with Support for Fault Isolation and Selective Fault-Tolerance

Systems. Roland Kammerer. 10. November Institute of Computer Engineering Vienna University of Technology. Communication Protocols for Embedded

1 November Basics of In-Vehicle Networking (IVN) Protocols

Flexray Communication Controller for Intra-Vehicular Communication and Its Realization in FPGA

A Fault Management Protocol for TTP/C

ARTIST-Relevant Research from Linköping

A CAN-Based Architecture for Highly Reliable Communication Systems

A Comparison of TTP/C and FlexRay

Real-Time Communications. LS 12, TU Dortmund

Lecture 2. Basics of networking in automotive systems: Network. topologies, communication principles and standardised protocols

An ERTS is defined by three elements: its architecture, its operation, and the way in which it tolerates faults.

Design For High Performance Flexray Protocol For Fpga Based System

FlexRay The Hardware View

Slot Allocation Schemes for the FlexRay Static Segment

IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 7, NO. 1, FEBRUARY

Design Optimization and Synthesis of FlexRay Parameters for Embedded Control Applications

Time Triggered CAN, Implementations, Development and Testing Tools

Automotive Requirements for a Flexible Control Traffic Class Markus Jochim (General Motors)

Developing deterministic networking technology for railway applications using TTEthernet software-based end systems

Probabilistic Worst-Case Response-Time Analysis for the Controller Area Network

Distributed System Control with FlexRay Nodes in Commercial Vehicles

Real-Time (Paradigms) (47)

FlexRay Requirements Specification

Additional Slides (informative)

MATLAB Expo Simulation Based Automotive Communication Design using MATLAB- SimEvent. Sudhakaran M Anand H General Motors

Schedulability-Driven Communication Synthesis for Time Triggered Embedded Systems

DISTRIBUTED REAL-TIME SYSTEMS

Various Emerging Time- Triggered Protocols for Driveby-Wire

COMPLEX embedded systems with multiple processing

Atacama: An Open Experimental Platform for Mixed-Criticality Networking on Top of Ethernet

TU Wien. Shortened by Hermann Härtig The Rationale for Time-Triggered (TT) Ethernet. H Kopetz TU Wien December H. Kopetz 12.

Scheduling Mechanisms for SpaceWire Networks

Scheduling and Mapping in an Incremental Design Methodology for Distributed Real-Time Embedded Systems

Improving the Data Scheduling Efficiency of the IEEE (d) Mesh Network

Configuration Guideline for CANopen Networks

The Arbitrated Network Control Systems Approach to CPS

Understanding and Using the Controller Area Network Communication Protocol

Simulation based Timing Analysis of FlexRay Communication at System Level. Stefan Buschmann Till Steinbach Franz Korf Thomas C.

Scheduling with Bus Access Optimization for Distributed Embedded Systems

Worst-case Ethernet Network Latency for Shaped Sources

Fault tolerant TTCAN networks

Automotive and industrial use cases for CAN FD

UML-based framework for simulation of distributed ECU systems in automotive applications

Formal Verification for safety critical requirements From Unit-Test to HIL

Design Optimization of Multi-Cluster Embedded Systems for Real-Time Applications

Markov Chain-based Performance Evaluation of FlexRay Dynamic Segment Nielsen, Jimmy Jessen; Hamdan, Amen; Schwefel, Hans-Peter

CORBA in the Time-Triggered Architecture

Can controller implementing features for reliable communication 1

CAN Connected To FlexRay

AirTight: A Resilient Wireless Communication Protocol for Mixed- Criticality Systems

Design and Realization of TTE Network based on EDA

Optimal Implementation of Simulink Models on Multicore Architectures with Partitioned Fixed Priority Scheduling

FlexRay Communications System. Preliminary Central Bus Guardian Specification. Version 2.0.9

For the Literature Review portion of our project, the following represent three key papers:

Analysis and Optimization of Distributed Real-Time Embedded Systems

in Berlin (Germany) Sponsored by Motorola Semiconductor NEC Electronics (Europe) Siemens Semiconductors Organized by

Today. Last Time. Motivation. CAN Bus. More about CAN. What is CAN?

The House Intelligent Switch Control Network based On CAN bus

The Message Scheduling Methods of FlexRay Communication Network Based on the Clustering Methods

A MONITORING CONCEPT FOR AN AUTOMOTIVE DISTRIBUTED NETWORK - THE FLEXRAY EXAMPLE

End-To-End Delay Optimization in Wireless Sensor Network (WSN)

In-Vehicle Network Architecture for the Next-Generation Vehicles SAE TECHNICAL PAPER SERIES

Embedded Systems. 8. Communication

ISO INTERNATIONAL STANDARD. Road vehicles FlexRay communications system Part 4: Electrical physical layer specification

Simulation-Based FlexRay TM Conformance Testing an OVM success story

Utilizing Vera Functional Coverage in the Verification of a Protocol Engine for the FlexRay TM Automotive Communication System

In-Vehicle Networking freescale.com/automotive

Lecture 9: Bridging. CSE 123: Computer Networks Alex C. Snoeren

An Efficient Implementation of the SM Agreement Protocol for a Time Triggered Communication System

Schedule Integration for Time-Triggered Systems

Communication Technologies and Network Protocols of Automotive Systems

FlexRay Communication System in Automotives : Design and Development of Power Window Control System

Software Architecture. Definition of Software Architecture. The importance of software architecture. Contents of a good architectural model

Capita Selecta: Software engineering for automotive systems

Content. Deterministic Access Polling(1) Master-Slave principles: Introduction Layer 2: Media Access Control

Trends in Automotive Communication Systems

Networking with CAN FD have you also thought about testing?

Platform Construction of FlexRay Bus and Research on its Performance

The CAN Bus From its Early Days to CAN FD By Friedhelm Pickhard (ETAS/P)

In March 2007, over 200 developers met in Stuttgart for the. control algorithms that have become increasingly faster are

In Vehicle Networking : a Survey and Look Forward

International Journal of Scientific & Engineering Research Volume 8, Issue 5, May ISSN

APPLICATIONS FLEXRAY AND ITS WILEY REAL TIME MULTIPLEXED NETWORK. Dominique Paret. dp-consulting, Paris, France. Claygate, Esher, UK

Transcription:

Design and Quantitative Evaluation of a Novel FlexRay Bus Guardian Kai Wang, Aidong Xu, and Hong Wang Key Laboratory of Industrial Informatics Shenyang Institute of Automation, Chinese Academy of Sciences Shenyang, China wangkai@sia.cn Abstract-FlexRay is a communication system whose development was driven explicitly by the new needs of future in-car control applications. However, as far as babbling idiot avoidance is concerned, FlexRay does not provide a satisfactory solution. Therefore, a novel Bus Guardian (BG) is designed to avoid the babbling idiot failure in FlexRay communication systems in this paper. To minimize the affects of common mode failure between the novel BG and the associated node, the novel BG operates with an independent clock synchronization process. The supervision algorithm of the novel BG is presented and performance evaluation is done based on message worst case response time (WCR1) analysis. Evaluation results show that the increase in WCRT by including babbling idiot protection is bounded and small and the novel BG can enforce error containment in the time domain of FlexRay communication systems. Keywords- Bus Guardian;FlexRay;Babbling idiot failure I. INTRODUCTION There is a visible trend in the automobile industry for an increasing number of safety related electronic systems in vehicles directly responsible for active and passive driver, passenger, and environmental safety. These future applications will greatly increase overall vehicle safety by liberating the driver from routine tasks and assisting the driver to find solutions in critical situations. Due to the realization of such driver assistance systems requires direct electronic control of the steering, braking, suspension and powertrain functionality, they demand new features for the communication system. These additional requirements include the combination of higher data rates, deterministic behavior, flexibility and the support of fault tolerance. Further, fast error detection in time (babbling idiot avoidance) is one of the primary requirements the communication system has to fulfill [1]. A faulty node that monopolises the common channel by sending messages at erroneous points in time is called a babbling idiot. The babbling idiot disrupts the communication between all properly operating nodes and can thus cause a complete system failure. It is therefore important to avoid babbling idiot failures (BIFs) in safety critical real time systems. FlexRay is a communication system whose development was driven explicitly by the new needs of future in-car control applications. The main features of FlexRay are illustrated briefly as follows. (1) Throughput. FlexRay features a throughput (10Mbit/s) that is one order of magnitude higher than CAN, which is the preferred technology for interconnecting electronic devices in passenger vehicles at present. (2) Media Access Control (MAC). The FlexRay protocol provides flexibility and determinism by combining a scalable static and dynamic message transmission, incorporating the advantages of familiar synchronous and asynchronous protocols. In detail, MAC of FlexRay is based on a recurring communication cycle. Each communication cycle is divided into the static (ST) segment and the dynamic (DYN) segment. Within the ST segment the time division multiple access (TDMA) scheme is applied to coordinate transmissions. While within the DYN segment a flexible time division multiple access (FTDMA) scheme, namely, a DYN minislot based scheme, is applied to arbitrate transmissions. (3) Fault tolerant. The basic properties that FlexRay provides for fault tolerant applications are Topological flexibility (single versus dual channel, mixed connectivity). Fault-tolerant clock synchronization (also usable in a non fault-tolerant way). Conceptual separation of functional and structural domain. At present, FlexRay has gained support with key OEMs in Europe, Japan and the United States, such as, Freescale Semiconductor, NXP, Fujitsu, Renesas Technology, and so on. In 2006 the FlexRay communication system was implemented in the new BMW X5 to provide fast and reliable coordination of all AdaptiveDrive functions, which makes BMW X5 the first series production car with a FlexRay system. However, as far as babbling idiot avoidance is concerned, FlexRay does not provide a satisfactory solution. Although an independent device named Bus Guardian (BG) is incorporated in physical layer to avoid BIFs in FlexRay, the BG is only effective in the STsegment of the communication cycle, which employs the TDMA scheme. While as far as the DYN segment of the communication cycle, which employs the FTDMA scheme, is concerned, it does not provide the media with any protection at all [2]. Therefore, from this point of view safety has been doubted by experts [3]-[4] when FlexRay is applied in the future safety-critical applications, such as the by-wire applications. Therefore, a novel BG is presented in this paper. The supervision algorithm of the novel BG is presented along with the node architecture necessary for implementing the presented technique. Performance evaluation of the novel BG is done based on message worst case response time 978-1-4244-6585-9/10/$26.00 2010 IEEE 782

(WCR]) analysis aiming at the flexibility of the FlexRay communication system. This paper is structured as follows. Section II illustrates the basic principle of the BG approach. In Section III, the design of the novel BG is presented. The novel BG is evaluated based on message WCRT analysis in Section IV. Finally, Section V concludes the paper. II. THE BASIC PRINCIPLE OF THE BG APPROACH A BG is a device designed to protect a bus from failure of some component attached to the bus. As a classical approach based on behavioral error detection mechanisms, the BG is a cost-efficient solution to avoid BIFs. ode Figure I. D Bus Guardian Processing system D Bus q isolation switch II,- u Bus interface Structure of a node including the BG and the bus isolation switch. Figure 1 outlines the structure of the node with a BG and a bus isolation switch. In order to protect the communication bus the bus isolation switch is inserted in the transmission path of the node and placed under the control of the BG. The BG makes use of the prescient temporal regularity of the inter-node communication scheme to enable or disable the bus access of the node at the required instants. Note that the reception path of the node is not intercepted or controlled by the BG in any way. Figure 2 shows the block diagram of an ECU (node) composed of a Communication Controller (CC), Bus Divers (BD) and a BG. The CC and the BG have separate clock oscillators. Further, the BG operates with an independent clock synchronization process which minimizes the common failure mode with the Cc. The BG supervises the TxEN signal from the CC and generates the BGE signal, which enables the output (transmission) of the BD, according to the proposed BG supervision algorithms which will be described in section III-D. Furthermore, the BG enables access to the transmission medium on both channels separately i.e. BGE A enables transmit access for channel A and BGE B enables transmit access for channel B. In case of a misaligned slot scheduling of the CC the BG generates an error interrupt to the HOST. In addition, the CC supervises the BGE signal from the BG by means of the Bus Guardian Schedule Monitoring (BGSM). The CC also generates an error interrupt to the HOST if the slot scheduling of the BG is misaligned. In case of a single fault in the node, the node behaves fail silent ensuring that both channels on the system level remain operational. The BG doesn't transmit any frame on the FlexRay bus. It only receives frames from the FlexRay bus, which is required for the BG clock synchronization. B. Fault Hypothesis and Fault Containment Units (FCU) Since the BG has its own clock oscillator and operates with an independent clock synchronization process, the BG and the CC can be considered a separate FCU respectively. The fault hypothesis is described as the following: Fault modes: Arbitrary active faults in CC. Arbitrary passive faults in the BG Maximum faults: A single-fault hypothesis is adopted. In each node either the CC or the BG may fail (but not both). Fault arrival rate: At most one fault within one FlexRay communication cycle. III. THE DESIGN OF THE NOVEL FLEXRA Y BG A. The Node Architecture with the BG ECU C. The logical structure of the BG Bus Guardian (BG) -(1«< 2 HOST CC i ' ffi B <I ::: I!l ] g g I : t I!lOST IiG 10 'I::: 2'2 ]1 I, g T chantlela c-hannelb Figure 2. The Block Diagram of an ECU with a BG. Figure 3. The logical structure of the BG. The BG is composed of the following parts, as shown in Figure 3. 783

BG Protocol Operation Control (POC): BG POC is the overall control state machine within the BG, which controls the operation of the BG. Communication controller based functionality: The CC based functionality includes a subset of the functionality of a Cc. It receives RxD _A and RxD _ B signals from the two channels and performs the functionality of decoder, clock synchronization processing (CSP), and so on. The BG utilizes the same core mechanisms as the CC, which ensures that the BG has an independent clock synchronization mechanism independent from the CC and minimizes the affects of common mode failure between the BG and the Cc. CC Supervision (CCS): The CC supervision functionality is used to enforce fail-silent behavior of the node. This block supervises the slot scheduling of the local CC and generates the BGE signal to enable or disable access for the CC to the communication medium according to the BG supervision algorithm. If the CC attempts to access the communication medium when it is not allowed, the BG generates an error message to the Host. Host Interface: The BG communicates with the Host through the Host Interface. Both the BG POC and the CC based functionality mentioned above have the same functionalities to the ones specified in FlexRay Protocol Specification [5]. Further, the BG supervision algorithm used by CCS is described in sections III-D. D. The BG supervision algorithm As far as the ST segment of the communication cycle is concerned, the BG supervision algorithm conforms to the FlexRay Specification [7]. While as far as the DYN segment is concerned, a novel algorithm is proposed according to the DYN minislot based scheme. Several related core concepts and the BG operating principle are described as follows. Concept of the Semi-Schedule Table One core concept named "Semi-Schedule Table (SST)" is proposed in this paper. Each node which is intended to transmit in the DYN segment has a unique SST. It consists of two sets, which are named as SST-I and SST-2 respectively. Their definitions are described as follows. (1) SST-I. Set composed of all the FrameIDs, which are allocated to the local node within the DYN segment of the communication cycle. (2) SST-2. In practice, it is allowed that messages with different sizes use the same FrameID to transmit. Thus each element (namely, FrameID) in SST-I corresponds to one maximum message communication time. Therefore, one new set named SST-2, whose elements represent the maximum message communication time, is derived from SST-I. From the definition of SST-2, each element in SST-2 can be mapped to the corresponding element in SST-I at the same position. In addition, one important FlexRay protocol parameter named platesttx is mentioned in the proposed algorithm. According to [5], platesttx is referred as the number of the last minislot in which a frame transmission can start in the D YN segment. The value of platesttx is fixed for each node during the design phase, depending on the size of the largest D YN frame that said node will have to send during run-time. The BG Operating Principle By default the BGE signal is disabled and thus inhibits the CC from writing to the bus. When both of the following two conditions are satisfied, the BGE signal is enabled: 1) The value of current DYN slot counter matches one of the FrameIDs in the SST -1 of the local node; 2) The value of current minis lot counter is less than platesttxn. Where: platesttxn represents the value of platesttx of the local node. The time-span when the BGE signal is enabled (denoted as TBGE) is determined by the following equations: When the node has no message to transmit in the current DYNslot: TBGE = 1 gdminislot (1) When the node has a message to transmit in the current DYNslot i: TBGE =Min {Max_ messagecommunication _time), ActuaC messagecommunication _time} (2) Where: gdminislot represents the duration of one minislot; Max_messagecommunication_time) represents the corresponding element in SST -2, which corresponds to the FrameID=i in SST-I. Here j describes the element position of FrameID=i in SST -1 and its range is 1 j k, where k is the number of elements in SST -1; ActuaC messagecommunication _time represents the actual message communication time in the current DYN slot i. According to the definitions described above, in the fault-free case Actual_messagecommunication_time is less than or equal to Max _ messagecommunication _time). However, when the node suffers BIFs Actual_ messagecommunication _time may exceed Max _ messagecommunication _time). IV. EXAMPLE AND EV ALUA non According to SST-I, the BG can restrict transmission attempts of the communication controller to the pre-configured slots and therefore eliminated the media access conflicts. However, due to the flexibility of the FTDMA access scheme message transmission in FlexRay system can not be determined in advance, so BIFs can not be eliminated completely by the BG. In order to evaluate the maximum effects of the undetected faults to the other normal message transmission quantitatively, the worst case response time (WCRn of the FlexRay DYN message is introduced as the performance index of the BG. Fault Injection (FI) experiments are performed in order to compare the increase in WCRTs of messages in the process of evaluation. 784

N, N: r------------- --------------- -------------, HOST, IIOST, 1I0ST, Figure 4. The construction of the system to be evaluated. The construction of the system to be evaluated is shown in Figure 4. The bus speed is assumed to be lombitis and the duration of one communication cycle and the ST segment are supposed to be 100 f.ls and 20 f.ls respectively. Additionally, gdminislot is set to be I f.ls. Properties of messages are shown in Table I. Note that C is the abbreviation for the message communication time. As shown in Figure 4, N] has been allocated FrameIDs with the values equal to 3,8 and 15 respectively. Thus we have BG] SST-l= {3, 8, 15}. Here Me, which uses the FrameID=3 to transmit, is ready for transmission at present. Assume that among all messages with different sizes, which use the FrameID=3 to transmit, the maximum communication time is 35 f.ls. Thus, we have Max_messageeommunieation_time] =35 f.ls. Similarly, assume further that Max _ messagecommunication _ time2 = Max_messagecommunication_time3 =35 f.ls. Thus BG] SST-2= {35, 35, 35}. If the system is fault-free, when the DYN slot counter reaches "3", the following 3 classical situations exist according to the length of Me, Case (a): the length of Me is O. Namely, Actual_ messagecommunication _time =0 in current slot. Case (b): the length of Me is 25 f.ls. Namely, Actual_ messagecommunication _time =25 f.ls which is less than Max _ messagecommunication _time]; Case (c): the length of Me is 35 f.ls. Namely, Actual_ messagecommunication _time =35 f.ls which is equal to Max _ messagecommunication _time]. In all these three situations, ActuaCmessagecommunication_time is less than or equal to the Max _ messagecommunication _time]. According to the BG supervision algorithm, we have TBGE Actual_messagecommunication_time. Namely, Me can be transmitted by N] completely. Next, in order to evaluate the maximum effects of the undetected faults by BG], assume that N] suffers a babbling idiot fault at the point in time when the DYN slot counter reaches "3". We name this case as Case (d). This time Actual_ messagecommunication _time may exceed Max_messagecommunication_time]. According to the BG supervision algorithm, TBGE Max_messagecommunication_time]. Namely, BG] will allow N] transmitting for 35 f.ls until it disables the transmission. '.---------==---. II' T rps} Before Fl (Case (a)), ---<1-<1- Before FI (Case (b»: - D-G- Before FI (Case (e)): ---..-. <i After FI(Casc (d)):.. 0.. 0..tg:". "".. '..?8;;'.;...:. ",tj/;1 'ft.. _ S....,.. '!- 10 11 rramefd U Figure 5. Message WCRT analysis, comparing WCRTs in 3 fault-free cases with babbling idiot overhead. Finally the values of WCRTs of messages in the system have to be calculated in all above-mentioned cases. This problem is equivalent to bin covering, which belongs to the family of NP-hard problems. To obtain the optimal solution, [6] have modeled the problem as integer linear program (ILP). In this paper the ILP solver Lingo 8.0 from LINDO SYSTEMS INC. is utilized to perform the calculations. The results of calculations are shown in Figure 5. As shown in Figure 5, as the length of Me increases, WCRTs of messages which use bigger FrameIDs (larger than 3) to transmit increase. Further, in contrast to the Case (a) and Case (b), the increase in WCRTs by including babbling idiot protection (Case (d)) is bounded and small. Therefore, the maximum effects of the undetected babbling idiot fault by the BG are bounded and it cannot cause a timing failure elsewhere in the system. An interesting thing in Figure 5 worth to note is that the messages with FrameIDs equal to 1 and 2 has the same value in all cases. This is relative to the value of FrameID the babbling idiot has. We discuss it further using another fault injection experiment. This time in fault free case assume that node N] has nothing to transmit. Then we inject the babbling idiot fault to N] right at the time when D YN slot counter reaches 3, 8, and 15 respectively. Finally, we calculate the WCRTs in all these cases and compare them. The calculation results are shown in Figure 6. As shown in Figure 6, in case of the BG is working: 785

As the value of the FrameIDbifi which refer to the FrameID the babbling idiot uses to transmit, decreases, the babbling idiot will make more affects on other message transmission in the system. Messages which use FrameIDs less than FrameIDbif do not suffer any affection. R.,., f!l1j lltiortfi: A ler FI (Fnal'nelD 3): - - After 1'1 (framel()=): Mer F1(FTlIITICII)=IS): <> <> ----+------- ---- F...ooD Figure 6. Worst case response times, comparing usual WCRT analysis with babbling idiot overhead having different priorities. V. CONCLUSION A novel BG has been designed to avoid the BIFs in FlexRay communication systems in this paper. The novel BG can provide the media with protection both in the ST segment and the D YN segment of the FlexRay communication cycle. Due to the flexibility of the FlexRay communication system, performance evaluation of the novel BG is done based on message worst case response time (WeRT) analysis. Evaluation results show that the novel BG can enforce error containment in the time domain of FlexRay systems and help to make FlexRay appropriate for safety-critical applications [I] REFERENCES Markus Krug and Anton V.Schedl. "New Demands for Invehicle Networks ", Proceedings of the 23rd EUROMICRO Conference, 1997 Sept, Page 601-605 [2] Kai Wang, Hong Wang and Aidong Xu, "Enforcing Fail-Silence in the Entire FlexRay Communication Cycle," SAE Paper 2007-01-1499. [3] J. Rushby, "A Comparison of Bus Architectures for Safety-Critical Embedded Systems," Technical Report, NASNCR-2003-212161, 2003. [4] G.Leen and D.Heffernan, "Expanding automotive electronic systems," Computer, vol.35, no. I, pp. 88-93,2002. [5] FlexRay Consortium, FlexRay Communications System Protocol Specification Version 2.1. [Online]. Available http://www.flexray.com. [6] Traian Pop, Paul Pop, Petru Eles, Zebo Peng, Alexandru Andrei, "Timing Analysis of the FlexRay Communication Protocol," Proceedings of the 18th Euromicro Conference on Real-Time Systems.2006. [7] FlexRay Consortium, FlexRay Communication System Preliminary Node-Local Bus Guardian Specification Version 2.0.9. [Online ].Available: http://www.flexray.com. 786

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback