Design of dual CAN redundancy scheme based on STM32F105 microcontroller

     Controller Area Network (CAN) is a multi-master serial communication bus. CAN bus has a high bit rate, strong anti-electromagnetic interference, and a complete error detection mechanism. It is widely used in the automotive, manufacturing, and aviation industries. Since the ship's engine room environment is extremely harsh and the maintenance conditions during the voyage are not as good as on land, the reliability of CAN communication is very high. Dual CAN redundant buses are used to improve communication reliability. This paper proposes a dual CAN redundant design based on the STM32F105 microcontroller.

　　1 Hardware Platform Composition

　　STM32F105 is a 32-bit microcontroller based on ARM Cortex-M3 core launched by STM icroe lectron ics. Its core is specially designed to meet the requirements of high performance, low power consumption and real-time application in the embedded field. Due to the use of Thumb-2 instruction set, STM32 can run up to 35% faster and save up to 45% of code compared with ARM7 microcontroller. The high main frequency and code execution efficiency enable the system to run bus redundancy algorithm while sending and receiving CAN bus data. The STM32F105 microcontroller integrates 2 independent CAN controllers. The controllers are integrated inside the chip to avoid interference introduced by bus expansion, simplify circuit design and reduce costs.

　　The system uses two completely independent CAN buses, two CAN bus transceivers and bus controllers to achieve full redundancy of the physical layer and data link layer. During initialization, the two controllers are activated simultaneously, one as the master CAN and the other as the slave CAN, which is a backup for the master controller. During normal operation, data is sent through the master CAN first; when the master CAN bus is busy, the slave CAN bus shares part of the communication traffic; and when the master CAN bus fails, the data is transferred to the slave CAN controller for transmission, and vice versa. When any bus fails, the data can be transmitted via the other bus, and when both buses are normal, the two buses are used for simultaneous transmission, increasing the communication bandwidth by about 1 times, thus ensuring communication reliability while improving real-time performance.

　　The CAN bus interface circuit design is shown in Figure 1. TJA1050 is used as the bus transceiver, which completes the level conversion and differential transceiver between the CAN controller and the physical bus. Although TJA1050 itself has certain protection capabilities, its bus interface still adopts certain safety and anti-interference measures; two 10pF small capacitors are connected in parallel between CANH and CANL of TJA1050 and the ground to filter out high-frequency interference on the bus; in addition, in order to enhance the anti-interference ability of the CAN bus node, a transient suppression diode is connected between the bus input and the ground. When transient interference occurs between the two inputs and the ground, the voltage at the transceiver input is clamped within a safe range.

　　To prevent the bus from overvoltage and causing node damage, the data transceiver pins of the built-in CAN controller of STM32F105 are not directly connected to TJA1050, and signal isolation transmission is achieved through ADuM1201 magnetic isolator. Compared with traditional optocoupler isolation, magnetic isolation simplifies the isolation circuit design, and the power consumption of magnetic isolation chip is very low, which is about 1/10 of optocoupler isolation. In addition to isolating the CAN data signal, the power supply and ground used by TJA1050T must also be completely isolated from the system, and the switching power supply module IB0505LS with 5V isolated output is used to provide isolated power. Due to the high data transmission rate of CAN bus, in order to improve signal quality, the network topology should be designed as a single-line structure as much as possible to avoid signal reflection, and the terminal should be connected with a matching resistor of about 120 ohms.

Figure 1 CAN interface circuit design

　　2 Software Design

　　The data link layer and part of the physical layer defined by the CAN protocol specification are not complete. Dual CAN redundant applications need to implement bus status monitoring, network fault diagnosis and identification, which can be achieved by adding software redundant modules. The redundant module is called in the main loop of the program to perform transceiver channel switching according to different bus error states. The CAN bus error state is divided into three categories: error activation, error recognition, and bus shutdown. The bus is in the error activation state when it works normally. After the controller detects an error, it increments the value of the send/receive error counter. When the value is greater than 127, it enters the error recognition state. When it is greater than 255, it enters the bus shutdown state. The CAN bus error detection module reads the error status register as the test condition for the bus fault. When the error state changes, the redundant algorithm is called to perform the bus switching operation.

　　Through actual debugging, it is found that when the bus connection is disconnected and only one node continues to send messages, a transmission error occurs. The controller enters the error recognition state, but does not enter the bus shutdown state; other errors increase the error counter, and enter the error recognition state and bus shutdown state in turn. The latter two states indicate that the bus is seriously disturbed and corresponding measures need to be taken. In order to simplify the control logic design, error recognition and bus shutdown are combined into bus faults.

　　The redundancy algorithm uses a state machine to switch the transmission mode, and selects the bus to be used for transmission according to different bus faults. The state switching flow chart is shown in Figure 2. The program first reads the error status register to obtain the bus error status, and determines whether the current bus is in the error activation mode. If a bus fault is detected, the program sets the corresponding flag to indicate the error to other program modules. In order to improve the efficiency of message transmission, the sending program writes multiple messages to the sending mailbox at a time and automatically sends them by hardware control. When switching the bus, the message in the sending mailbox of the faulty bus needs to be read back first, and the backup bus is sent first. This mechanism ensures that the message will not be lost due to bus switching. The controller sends a test message with an empty data field to the faulty bus. Every time a message is successfully sent, the value of the bus sending error counter decreases until its value is less than 128 and the bus returns to the error passive state; the redundant program reads the error status register at regular intervals to detect whether the faulty bus has returned to normal.

　　In the 2-bus simultaneous transmission mode, the sending program gives priority to writing to the mailbox of bus 1. When the mailbox of bus 1 is full, it writes to the mailbox of bus 2. Since the messages are sent according to priority arbitration, if the sending mailbox of a certain route is often empty, it means that the communication traffic of this bus is small. The sending program will transfer more messages to the idle bus for sending, so as to achieve load balancing of the messages.

Figure 2 Bus state switching flow chart.

　　3 Reliability Analysis and Testing of Dual Bus Redundancy

　　The reliability of the dual CAN redundant system is quantitatively analyzed, and the concept of Mean Time To Failure (MTTF) is introduced. MTTF describes the time interval from the start of a system to the occurrence of a failure, that is, the average life span. To simplify the analysis, the following assumptions are made: the failure rate of each CAN bus is the same; the damage of the CAN bus is physical damage, that is, irreparable damage. The exponential distribution can be used to describe the life of electronic components. Assuming that the life distribution of the CAN bus follows the exponential distribution, the reliability model of the CAN bus is shown in Figure 3.

Figure 3 CAN bus reliability model diagram

　　Model 1 is a single bus reliability model, because the bus life follows an exponential distribution, according to the single CAN bus trouble-free operation time MTTF1 = 1 /λ. Model 2 is a dual CAN bus redundant reliability model, the system consists of two independent buses in parallel, that is, the system communication will fail only when both buses fail, so the average life of the system MTTF2 = 3 /2. The use of dual-line redundant design increases the mean trouble-free time of CAN communication by 50%.

　　Another key indicator of the dual-line CAN redundant system is the bus switching time, which is equal to the sum of the time required to detect the error and the time required to process the faulty bus without sending the message. The shorter the switching time, the smaller the delay caused by the bus fault on the message transmission. The time required to detect the error is the time required from the occurrence of the bus error to the detection by the redundant program. Taking the bus disconnection fault as an example, the transmitter generates a response error every time it sends a message. The error counter increases by 8 each time. It needs to send 16 times in succession to make the error counter value reach 128 to cause the bus switch. At a bit rate of 125kbps, a message with a maximum of 128 bits is sent. If the controller retransmission interval is ignored, the response time from the occurrence of the fault to its detection is:

　　To avoid losing messages during bus switching, the redundancy algorithm needs to read back the unsent messages in the faulty controller, which results in additional fault handling time. Because each sending mailbox can store up to 3 messages, assuming the bit rate is 125kbps unchanged, and the backup bus obtains arbitration when sending, the longest fault handling time is:

　　Therefore, the bus switching time is 16.38+ 3.07= 19.45ms.

　　The bus switching time for continuously sending different message lengths at a bit rate of 125kbps is measured experimentally and is shown in Table 1:

Table 1 Bus switching time

　　The switching time is 22.80ms at a bit rate of 125kbps, which is slightly longer than the theoretical calculated value. This is due to the additional consumption of running the redundancy algorithm and reading the controller error register (ESR) when the bus is switched. However, in actual applications, the waiting time required to send a message to obtain arbitration is much longer than the switching time. Bus failures do not occur frequently, and the redundant switching algorithm has no significant impact on the operation of the system.

　　4 Conclusion

　　Compared with the traditional single-chip bus expansion two CAN controller redundancy scheme, this design makes full use of the two CAN controllers built into the STM32F105 microcontroller, simplifies the circuit design, and relatively reduces the cost. At the same time, the use of dual CAN redundant communication system improves the overall reliability of the system. The dual bus load balancing technology used can increase the bus bandwidth and balance the communication load. The system has achieved good results in the transmission of images and data signals of the ship's engine room monitoring system.

references:

[1]. TJA1050 datasheet http://www.dzsc.com/datasheet/TJA1050_649182.html.
[2]. ADuM1201 datasheet http://www.dzsc.com/datasheet/ADuM1201_125006.html.
[3]. TJA1050T datasheet http://www.dzsc.com/datasheet/TJA1050T_649183.html.