experimental jitter analysis in a flexcan based dbw automotive application juan r. pimentel...
TRANSCRIPT
Experimental Jitter Analysis in a FlexCAN based DbW Automotive Application
Juan R. PimentelJuan R. Pimentel
Kettering UniversityKettering University
and and
Jason PaskvanJason Paskvan
Mentor Graphics CorporationMentor Graphics Corporation
3
Presentation OutlinePresentation Outline IntroductionIntroduction Characterization of Jitter in CANCharacterization of Jitter in CAN Summary of FlexCANSummary of FlexCAN How FlexCAN reduces JitterHow FlexCAN reduces Jitter FlexCAN based Drive by Wire ApplicationFlexCAN based Drive by Wire Application Experiments to measure JitterExperiments to measure Jitter ResultsResults ConclusionsConclusions
4
IntroductionIntroductionCAN is a mature protocol for many small areaCAN is a mature protocol for many small areaapplications due to its:applications due to its:
•error control featureserror control features•low latencylow latency•priority-based bus accesspriority-based bus access•instant bit monitoringinstant bit monitoring
CAN limitations:CAN limitations:•Speed up to 1 MbpsSpeed up to 1 Mbps•Limited distance (related to speed)Limited distance (related to speed)•Limited dependabilityLimited dependability
There is an ongoing debate of whether CAN,There is an ongoing debate of whether CAN,with proper enhancements, can support with proper enhancements, can support safety-safety-critical applicationscritical applications
5
IntroductionIntroductionAlthough highly advantageous, the priority-based bus access Although highly advantageous, the priority-based bus access has the negative side effect of causing has the negative side effect of causing substantial network substantial network delay jitterdelay jitter
A large jitter can have a detrimental impact on the A large jitter can have a detrimental impact on the performance of many distributed embedded systemsperformance of many distributed embedded systems
There has been several proposals to make CAN There has been several proposals to make CAN more more deterministic and dependabledeterministic and dependable
One of such proposals is One of such proposals is FlexCANFlexCAN that combines that combines features of:features of:
•CANCAN•FlexRayFlexRay
6
CAN: Features and Limitations
Great Features:Great Features: Global, priority-based bus Global, priority-based bus
access access (bit-wise (bit-wise arbitration)arbitration)
InstantInstant bit monitoring bit monitoring Instant Instant
acknowledgementacknowledgement Bwxdelay < 1 bit timeBwxdelay < 1 bit time ExcellentExcellent error control error control
featuresfeatures
Limitations:Limitations: Speed (1 Mbps)Speed (1 Mbps) Distance (40 m)Distance (40 m) No unidirectional No unidirectional
communicationscommunications Limited error confinementLimited error confinement Large and variable jitterLarge and variable jitter Limited fault-tolerant and Limited fault-tolerant and
safety-critical featuressafety-critical features
7
Message Latency Jitter in CANMessage Latency Jitter in CANThreeThree sources sources of jitter:of jitter:
•due to bit stuffingdue to bit stuffing•due to jitter in scheduled tasksdue to jitter in scheduled tasks•due to the dynamic mixture of TT and ET trafficdue to the dynamic mixture of TT and ET traffic
Jitter involving jitter in scheduled tasks is due to variations in Jitter involving jitter in scheduled tasks is due to variations in the time to actually execute the time to actually execute software taskssoftware tasks in a node in a node
It is assumed that software tasks are responsible for It is assumed that software tasks are responsible for sending sending CAN messagesCAN messages
The third type of jitter results from periodic The third type of jitter results from periodic messages waiting for messages waiting for higher priority event traffichigher priority event traffic that arrive at arbitrary and unpredictable timesthat arrive at arbitrary and unpredictable times
8
FlexCAN: Main FeaturesFlexCAN: Main Features
Architecture:Architecture: Node replication (1, 2, 3, …)Node replication (1, 2, 3, …) Channel replication (1, 2, 3, Channel replication (1, 2, 3,
…)…)
Synchronization:Synchronization: CST (TT from application)CST (TT from application) node replicationnode replication channel replicationchannel replication
Replication management:Replication management: Protocol: SafeCANProtocol: SafeCAN
– Replacement for Replacement for primary nodeprimary node is always ready thanks on an is always ready thanks on an ranking protocolranking protocol based on based on hardware addresses.hardware addresses.
Support for Support for Composability in Composability in time domaintime domain
Communication cycleCommunication cycle– Reference messageReference message– TimerTimer based based
Enforcement of fail-Enforcement of fail-silent behaviorsilent behavior
Transient failuresTransient failures– Similar to FTT-CANSimilar to FTT-CAN
Permanent failures: Permanent failures: SafeCAN, Bus guardianSafeCAN, Bus guardian
9
FlexCAN: ArchitectureFlexCAN: Architecture NodeNode replication (1, 2, 3, …) replication (1, 2, 3, …) ChannelChannel replication (1, 2, 3, …)replication (1, 2, 3, …)
1
2
1
2
1
2
SafewareSensor
SafetyLayer
1
2
1
2
1
2
SafewareSensor
SafetyLayer
1
2
StandardApplication
1
2
1
2
1
2
SafewareActuator
SafetyLayer
1
2
StandardApplication
NetworkManager
1
2
1
2
1
2
ControllerFTU
Replicated CAN channels
10
FlexCAN: ComposabilityFlexCAN: Composability Communication CycleCommunication Cycle (Defines Cycle Time) (Defines Cycle Time)
– Reference messageReference message (one per cycle time)(one per cycle time)– TimerTimer based (resolution of at least 0.1 ms) based (resolution of at least 0.1 ms)– Integral number of Integral number of sub-cyclessub-cycles per comm. cycle per comm. cycle– In fig. below: there are four sub-cyclesIn fig. below: there are four sub-cycles– Messages are Messages are scheduled into sub-cyclesscheduled into sub-cycles– Messages from different sub-cycles Messages from different sub-cycles do not interferedo not interfere
with one another (with one another (principle of independence,principle of independence, enforced enforcedby removing messages from transmit buffer at the endby removing messages from transmit buffer at the endof the sub-cycle)of the sub-cycle)
HW_Position HW_Position HW_Position HW_Position HW_Position HW_Position
Angle, speedcommands
Angle, speedreferences
Angle, speed, statusand force fdk Gateway
Cycle Time
T1 T4T2 T3
M1, m2M4, m5, m6
m7, m8 M3 M9
11
FlexCAN: Highly DeterministicFlexCAN: Highly Deterministic
E3 E4 E5 E6
Sensing
Computation
Actuation
Bus
E1 E8E8 E2 E1 E2
Sn Sn
Un
An
WSn
WAn
WUn
CSnCUn
Sampling Period Ts
HW
P
S1
S2
T1
T2
FR
C(P)
HW_Position HW_Position HW_Position HW_Position HW_Position
Angle, speed commands
Traction speed and status
Steering speed, status and force
fdk
Angle, speed references, Gateway
Communication cycle
RA RDRB RC
m1, m2 m6, m7, m8 m4, m5 m3,m9
NetworkNodes
C(S)
Sub cycle
12
FlexCAN Summary FlexCAN Summary FlexCAN is an architecture that FlexCAN is an architecture that
supports supports safety criticalsafety critical systems systems FlexCAN and its underlying protocol FlexCAN and its underlying protocol
(SafeCAN) has the following (SafeCAN) has the following featuresfeatures::
– ModularModular– Scaleable but boundedScaleable but bounded– Based on COTS CAN Based on COTS CAN
chips and tranceiverschips and tranceivers– Compatible with native Compatible with native
CAN message IDsCAN message IDs
– FlexibleFlexible– SimpleSimple– DeterministicDeterministic– Cost effectiveCost effective– DependableDependable
13
Experimental Jitter MeasurementsDrive by Wire (DbW) System
Experimental Jitter MeasurementsDrive by Wire (DbW) System
Drive-by-Wire (DbW) systems are Drive-by-Wire (DbW) systems are electro-mechanicalelectro-mechanical systems.systems.
Expected to replace the mechanical/hydraulic means Expected to replace the mechanical/hydraulic means transmitting and actuating driving commandstransmitting and actuating driving commands
DbW systems can enhance the safety of the vehicle DbW systems can enhance the safety of the vehicle occupants only ifoccupants only if– Dependability issues are addressedDependability issues are addressed
Main issues: Main issues: – Assessment of suitable control and communication Assessment of suitable control and communication
architectures architectures – Validation of their Validation of their dependabilitydependability
safety-critical safety-critical functionql unitsfunctionql units (sub-systems): (sub-systems):– SteeringSteering– AccelerationAcceleration– Braking Braking
14
Padova Lift Truck Padova Lift Truck
ManufacturerManufacturer: Cesab S.p.A.: Cesab S.p.A. SourceSource: 48 Volt Battery pack: 48 Volt Battery pack HydraulicsHydraulics::
– Steering, hoisting, brakingSteering, hoisting, braking TractionTraction: two front electric drives (IM): two front electric drives (IM) SteeringSteering mechanism engage rear mechanism engage rear
wheels.wheels. Safety requirementsSafety requirements::
– fault-operationalfault-operational– fault-safefault-safe
15
DbW: Control ArchitectureDbW: Control Architecture
Hand WheelECU
AccelelatorPedalECU
SteeringECU
TractionECU
ControlECU
(CommandConditioning,
Vehiclemanagementunder faults)
Steering Command
Steering Reference
Force Feedback Reference
Speed Command
Speed Reference
Steering Angle
Vehicle Speed
Drive Status
Steering Status
From Dashboard ECU
16
DbW: Control ECU FunctionsDbW: Control ECU FunctionsCommand ConditioningCommand Conditioning Increase stability of systemIncrease stability of system Assist driver in maneuversAssist driver in maneuvers Speed is reduced to avoid Speed is reduced to avoid
overturning the vehicle if:overturning the vehicle if:– a tight swerve is a tight swerve is
commandedcommanded– load is up-liftedload is up-lifted
Adaptation of steering ratio Adaptation of steering ratio to truck speed to:to truck speed to:– ease maneuvers at low ease maneuvers at low
speedspeed– avoid quick changes of avoid quick changes of
trajectories at high trajectories at high speedspeed
Vehicle Management Under Vehicle Management Under FaultsFaults
Upon fault detection: All I/O Upon fault detection: All I/O ECU’s stop sending ECU’s stop sending messagesmessages
This helps I/O units to be This helps I/O units to be ready to receive ready to receive appropriate commands appropriate commands from the Central ECUfrom the Central ECU
Central ECU prepares Central ECU prepares commands to put the commands to put the system in a safe state system in a safe state according to the fault.according to the fault.
17
DbW Network SpecificationsDbW Network Specifications Specification parameters:Specification parameters: communication reliabilitycommunication reliability network loadnetwork load application loadapplication load data update ratedata update rate Reliability requirement:Reliability requirement: A DBW operates properly A DBW operates properly
if:if:– messages reach messages reach
destination without errordestination without error– within a bounded time within a bounded time
intervalinterval
A wrong command could A wrong command could be executed with be executed with potentially dangerous potentially dangerous consequences if:consequences if:– message is missing or message is missing or
latelate– data is corrupteddata is corrupted– transmission channel transmission channel
breaksbreaks A missing message is A missing message is
handled by the Central ECUhandled by the Central ECU Corrupted data is not Corrupted data is not
recognized by the Central recognized by the Central ECU and handled by the ECU and handled by the protocol via CRCs.protocol via CRCs.
Two channels are neededTwo channels are needed
18
DbW Message SpecificationsDbW Message Specifications speed speed commandcommand speed speed referencereference actual speed and actual speed and statusstatus (current, temperature) (current, temperature)
of the traction drives of the traction drives steering angle command steering angle command steering angle reference steering angle reference actual steering angle and status (curr, temp)actual steering angle and status (curr, temp)
of the steering drives of the steering drives force feedbackforce feedback reference reference An additional message is used to convey the dataAn additional message is used to convey the data
coming from the CAN network through the coming from the CAN network through the gatewaygateway
19
DbW Message DefinitionsDbW Message Definitions Msg Size (bits) ECUMsg Size (bits) ECU Functional Functional
DescriptionDescription M1M1 3232 Hand wheel (HW)Hand wheel (HW) Steering angle commandSteering angle command M2M2 3232 Pedal (P)Pedal (P) Acceleration commandAcceleration command M3M3 6464 Central (C)Central (C) Acceleration Reference Acceleration Reference
(32 bits)(32 bits) Steering angle Ref. (32 Steering angle Ref. (32
bits)bits) M4M4 5656 Traction 1 (T1) Traction 1 (T1) Speed and statusSpeed and status M5M5 5656 Traction 2 (T2) Traction 2 (T2) Speed and statusSpeed and status M6M6 5656 Steering 1 (S1) Steering 1 (S1) Speed and statusSpeed and status M7M7 5656 Steering 2 (S2) Steering 2 (S2) Speed and statusSpeed and status M8M8 3232 Force reaction (FR) Force reaction (FR) Force feedbackForce feedback M9M9 6464 Central (C) Central (C) Gateway messageGateway message
20
DbW Network Layout DbW Network Layout
C C HW P
AccelerationPedal
HandWheel
Control
S1 S2 FR T1 T2
Steering 1 Steering 2 ForceReaction
Traction 1 Traction 2
CAN bus 1
CAN bus 2
21
FlexCAN Global Mesg. Schedule FlexCAN Global Mesg. Schedule
HW
P
S1
S2
T1
T2
FR
C(P)
HW_Position HW_Position HW_Position HW_Position HW_Position
Angle, speedcommands
Traction speedand status
Steering speed,status and force fdk
Angle, speedreferences,Gateway
Basic Cycle
R1 R4R2 R3
m1, m2 m6, m7, m8 m4, m5 m3,m9
NetworkNodes
C(S)
BusGuardians
22
ExperimentsExperimentsEXPERIMENT 1EXPERIMENT 1: Only periodic traffic: Only periodic traffic
EXPERIMENT 2:EXPERIMENT 2: Mixed traffic Mixed traffic•Size of event traffic: 8 BytesSize of event traffic: 8 Bytes•Priority of event traffic: Lower than any periodic messagePriority of event traffic: Lower than any periodic message•Event traffic : Uniform distribution [2,11] ms Inter-arrival timeEvent traffic : Uniform distribution [2,11] ms Inter-arrival time
EXPERIMENT 3:EXPERIMENT 3: Mixed traffic Mixed traffic•Same as that of experiment 2 except:Same as that of experiment 2 except:
•Priority of event traffic: Higher than any periodic messagePriority of event traffic: Higher than any periodic message
23
Summary of ExperimentsSummary of Experiments
Exp. Traffic Jitter (m6) Peak Load Event msg ID
1 Periodic 157 s 11.55 % ------
2 Mixed 148 s 15.40 % 0x680
3 Mixed 187 s 15.36% 0x010
24
ConclusionsConclusionsSourcesSources of jitter in CAN: of jitter in CAN:
•bit stuffingbit stuffing•task schedulerstask schedulers•interference from other messagesinterference from other messages
Simple FlexCAN message scheduling helps Simple FlexCAN message scheduling helps reduce jitterreduce jitter and make and make CAN more predictableCAN more predictable
Message schedule of a safety-critical DbW application has Message schedule of a safety-critical DbW application has been implemented and experiments were conducted to been implemented and experiments were conducted to measure jittermeasure jitter
Jitter Jitter can be controlledcan be controlled in a system based on the FlexCAN in a system based on the FlexCAN architecturearchitecture