Defining network timing
The first step in modeling vehicle network timing is to have an accurate definition of the connections between the ECUs. AUTOSAR defines software methods allowing all vehicle functions to be defined as a collection of software components and mapped to physical ECU hardware.
There could be several functions in a single ECU, with internal signals passing between them. Once connectivity is defined, timing parameters for each object in the design can be defined, where known. Timing information can come from a range of external sources; one automotive standard widely used is FIBEX, an XML-based standardized file format defined by the ASAM consortium.
The physical paths in an example system are shown in Figures 1 and 2. A brake position monitor module connects to a controller ECU, which in turn connects to an actuator. Inside each module, individual software components also contribute their own delays. We will look at the contribution of each of these components to the overall system delay.
Brake system signal path overview.
Brake system with AUTOSAR components; detailed timing parameters may be defined.
Table 2: Transmission steps for AUTOSAR brake example
In the example provided in Table 2, the maximum allowable end-to-end signal path is known to be 100 mS. We know from actual measurements that the Publisher takes 5 mS and the Subscriber 10 mS, leaving a maximum allowable Communication Path delay of 85 mS.
Using an advanced AUTOSAR component editor, such as the Mentor Graphics VSA COM Designer tool, the timing information can be entered for every component in the path, but this can be a laborious process. An alternative is to import timing and connection information from an external database.
When it comes to modeling the CAN bus data path, it is necessary to take account of the uncertainty in start-of-transmission. There may be a higher-priority message occupying the data bus, causing a transmission delay.
A jitter factor is therefore specified to allow for this variability -- it is normally known in advance how many higher priority signals could be on the bus, so the maximum jitter can be predicted. Using these parameters and applying the automated design rule check, the worst case delay path for steps (3) to (7) comes out at 74.5 mS, so the design check passes. As this is a “worst-case” test, the designer has confidence that the path delay will never be any worse than this and will normally be a lot better.
Typical timing report from VSA COM timing analysis tool, showing DRC violations.
Click here for larger image
Figure 3 shows a typical timing report, where signal path violations are highlighted in red. The overall bus utilization figure is shown at the top of the table (3.69%).
Timing path prediction for signals that pass through vehicle Gateways can also be modeled. If the signals are routed automatically through the Gateways, they need to take the shortest available path, and the timing path analysis algorithm will need to have information on all the ECU publishers and subscribers in the signal path. Some Gateways may be for diagnostics only, and signals passing through may take a lower priority.
Automotive communication matrix synthesis
An overall definition of the vehicle network timing arrangements is normally stored in a “Communication Matrix” as part of one of the central Gateway ECUs. Synthesizing this database automatically and packing all the different messages into frames in the correct order is an area in which Mentor Graphics has developed design tool solutions.
AUTOSAR signal messages are assembled into Protocol Data Units (PDUs), and these data units are then assembled into a transmission frame. For CAN and LIN frames, there is one PDU per frame, but multiple signal PDUs can be assembled into a FlexRay frame.
In a FlexRay architecture, the timing is deterministic, and the main variable for the designer is the frame packing and transmission order.
Automotive OEMs and designers invest a lot of time to test all scenarios in the vehicle to determine worst-case behavior and ensure that there is a wide safety margin on message transmission. This means that often the full capacity of the data bus is not used in order to ensure a high timing safety margin.
The synthesis tool looks for signals that have similar paths and timing requirements for packing and scheduling at similar frame time slots, in order to optimize frame utilization. When using the Mentor Graphics timing synthesis tool, design inputs will include the signals and PDU definitions, frame priorities, and specific OEM design decisions on allowable signal paths. These are all taken into account when generating the full timing matrix.
One challenge with installing a fully defined communication matrix is that later architecture changes are harder to achieve and may involve a complete network redesign, but the benefits of high-speed and deterministic transmission make this approach particularly appealing for FlexRay applications on safety-critical vehicle functions. Re-creating an updated communication matrix with the synthesis tool can shorten this revision cycle.
AUTOSAR provides a pre-defined standard approach for vehicle network and ECU design. But problems remain for the designer on how to implement time-efficient and performance-secure designs.
By using design automation aids for timing calculation and generating the vehicle communication matrix, great improvements can be made in the use of precious network bandwidth while maintaining vehicle performance safety margins.
As complexity increases with mixed-CAN, FlexRay, and Ethernet networks, the use of automated design rule checks and timing performance synthesis tools will help reduce design time and avoid laborious manual validation processes.
— Andrew Patterson is business development director for the Mentor Graphics Embedded Software Division, focused on the automotive market. Currently, he is working on embedded software strategy at Mentor, working with Linux, AUTOSAR, and other domains operating on a wide range of host silicon platforms.