Automotive Distributed Safety System Based on FlexRay Network

frozenviolet

Automotive Distributed Safety System Based on FlexRay Network [Copy link]

The network topology has a significant impact on the safety of automotive network systems. To ensure the availability and reliability of communication systems in automotive environments, they need to be optimized for specific applications. In this regard, the recently emerged FlexRay physical layer technology has great potential. This article will start with a simple network example, from simple to complex, and finally introduce a reliable and sophisticated solution. In the process, we will discuss several possible different network configurations and their advantages and disadvantages.
FlexRay has innovative functions and safety features that can achieve a high level of automotive system safety. FlexRay can not only simplify the architecture of automotive electronics and communication systems, but also help automotive electronic units become more stable and reliable. Major Asian automobile manufacturers including Toyota, Nissan, Honda, Hyundai and Kia Motors have joined the FlexRay Alliance, further strengthening the alliance's efforts to create a universal standard for automotive by-wire technology. With the participation of some new automobile manufacturers, almost 7 out of every 10 cars produced worldwide each year are produced by FlexRay members.
Before starting the discussion, let's briefly introduce the FlexRay protocol. FlexRay is a flexible communication system that can meet the needs of future advanced automotive high-speed control applications. At the same time, FlexRay supports distributed control systems and can supplement major in-vehicle network standards such as CAN, LIN and MOST optical data bus for media applications. The FlexRay protocol is designed to be used in chassis control, body and powertrain applications that require high communication bandwidth and deterministic fault-tolerant data transmission capabilities.
However, the FlexRay communication system is not just a communication protocol. It also includes a specially designed high-speed transceiver and defines the hardware and software interfaces between different components of the FlexRay node. The FlexRay protocol defines the communication process format and function in the network car system. In addition to the protocols, software and support services under development, the FlexRay Alliance is also committed to providing the tools required for communication system design, test measurement and simulation through leading tool manufacturers and test organizations among the alliance members.
At any time, the control system must collect enough information in the actual system to maintain control of the car and enhance its performance. More and more sensors are used in cars, especially sensors that perceive external information, which are used to perceive road information and obstacles in front, adjacent and behind the vehicle. Such sensors include video, radar and photoelectric sensors, and the large amount of data they capture is transmitted to the ECU in the car in real time for processing.
FlexRay uses two independent physical lines for communication, each with a data rate of 10Mbps. The two communication lines are mainly used for redundancy, so the message transmission is fault-tolerant. Of course, the two lines can also be used to transmit different messages, so that the data throughput can be doubled.
FlexRay can also operate at lower data rates. When the speed is less than 1Mbps, it allows the support of transmission bus structures (such as CAN); when the speed is above 1Mbps, different nodes are connected in a point-to-point manner using active star couplers.
One of the important target applications of FlexRay is wire control operation (such as wire control steering, wire control braking, etc.), that is, using fault-tolerant electrical/electronic systems to replace mechanical/hydraulic parts. Wire control operation includes all automotive control application interconnection technologies from steering to braking and acceleration, which can complement and eventually replace current mechanical and hydraulic solutions. After the reduction of in-vehicle components, especially mechanical and hydraulic components, this part of the cost does not have to be paid, so in terms of overall device and assembly costs, the use of electronic systems is cheaper than mechanical and hydraulic components.
The industry is moving towards fully electronic systems in car design, which will provide drivers and passengers with greater safety and a more comfortable interior environment through innovative intelligent driver assistance systems.
Another tangible benefit for car buyers is the greater design freedom that FlexRay will bring, especially in the car interior. Without the steering column that takes up a lot of space, the car of the future will have a completely new look and ride. In addition to drive-by-wire operation, FlexRay also has a large application space in automotive powertrain and safety electronics systems, which require high-speed data transmission, such as serving as a central electronic backbone bus to connect various bus networks in the car and facilitate the introduction of new electronic control systems in the car.
For Asian car manufacturers, the benefits of FlexRay standardization include reducing development and production costs and reducing the risk of adopting this innovative technology, thereby enabling this new system to be widely adopted in the market. At present, data exchange between different control devices, sensors and brakes in the car is mainly completed through the CAN network, but the emerging drive-by-wire operation system puts higher requirements on the communication network, especially in terms of fault tolerance and time determinism of message transmission. FlexRay meets these requirements by transmitting messages in fixed time slots and using both channels to provide fault tolerance and redundancy for message transmission
.

600)this.width=600" border=0>

Figure 1 shows an example of a network application in an automobile, with four wheel nodes (1 to 4), a central electronic control unit (ECU) (5) and a backup ECU (6). With appropriate measures in the application software, the system is not affected by the failure of one ECU.
However, a simple FMEA (failure modes and effects analysis) reminds us that more serious failures may occur, such as water entering the connector causing problems in both channels connected to a certain ECU, ECU printed circuit board fractures or mechanical shock causing cable glands to fall off or deform, which can cause the same failure mode in both channels (see Figure 2), resulting in a complete interruption of communication at some nodes. One way to avoid such accidents
with partially redundant systems
is to reduce the complexity of the network topology. Let's go back to the familiar principle of two independent diagonals, and we can get a possible simple solution (Figure 3).
Now, the wheel nodes are connected to only one channel, while the central ECU and the backup ECU are still connected to two channels. The ECU and its backup can be better protected against mechanical shocks because they can be placed behind the passenger unit, such as the center console. Fewer connections means fewer failure modes, which may be suitable for some applications, but the risk of common failure modes mentioned above is still not eliminated, so it is necessary to seek further improvements. FlexRay solves this problem by introducing active star connectors.
FlexRay system with active star connectors
The network topology shown in Figure 4 is similar to the above, except that an active star connector is added to one channel.
The active star connector acts as a router and sends the incoming messages from one branch to all other branches during normal communication. The benefit of the active star connector is that it can detect branches with problems or messages that have exceeded the time limit. When such illegal abnormal problems are detected, the active star connector disconnects the affected network branch, thereby ensuring that the communication of other branches in the network is not affected. Compared with other physical layer connection methods, the active star connector can disconnect the faulty area, which is also its main advantage.
Assuming that the failure of node 6 affects both branches (Figure 5), the system can still work, although the performance is reduced (but still acceptable), of course, the communication between nodes 2 and 3 will be lost. If the failure occurs at node 5 instead of node 6, the situation is exactly the same. This result is very interesting because the active star connector is only used in one channel, so the entire network topology is asymmetric.
FlexRay system with two active star connectors

600)this.width=600" border=0>

Introducing an active star connector in the other channel also makes the network more symmetrical and, after taking appropriate measures in the application software, does not degrade the system performance even in the fault scenario shown in Figure 6. At this point, all four wheel nodes are still accessible and one of the central ECUs (here node 5) has control of the entire system.
When a cable connection to one wheel node is shorted, the other wheel connected to this diagonal line is also affected. In this fault mode, this network topology has no advantage over a network with an active star connector. However, for some applications, it may be unacceptable to have two wheel nodes lose communication at the same time, and a different solution needs to be found. It is easy to find that the nodes that are first connected to the shorting cable and then to the active star connector can be connected directly to the active star connector, so that one more branch is required for each active star connector.
FlexRay system without shorting cables
The configuration in Figure 7 guarantees maximum network availability in all the fault modes discussed above. By the way, in all the examples discussed in this article, this network topology also provides the best electromagnetic compatibility (EMC) because there is no shorting cable.
Summary
As mentioned above, the network topology is mainly determined by the minimum availability requirements of the communication link. For a certain failure mode, a solution can always be found that meets the availability requirements. The scalability of FlexRay allows an optimal balance between system cost and safety. The first FlexRay transceiver (Philips TJA 1080) that supports this physical layer approach is already available, and this transceiver can also be used to build an active star connector. Ongoing vehicle tests and further theoretical analysis will apply these results and generalize them to more demanding application networks with more than 6 nodes.
In addition to the failure modes discussed here, there are also some serious failure modes in the time domain, where the active star connector also has certain advantages. A node with a transmission error does not affect the ongoing communication of other nodes connected to the active star connector, because the active star connector continues to route other branch messages. In addition, the active star connector will disconnect or discard messages that exceed a certain time limit, thus preventing the communication channel from being monopolized.
In some cases, in order to ensure special safety requirements, there may be higher requirements for "time domain signal security". At this time, it may be necessary to use the so-called bus guardian. The FlexRay bus guardian can monitor whether the timing of the communication controller at each node meets the requirements.