psi5: safety & latest developments - vector · pdf filevector congress 2016 | juan pontes...
TRANSCRIPT
Vector Congress 2016
PSI5: Safety & latest developments
Juan Pontes, Robert Bosch GmbH | 29.11.2016
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 2
Vehicle as networking platform
Networking between different vehicles
Networking between different systems in the vehicle
Networking between vehicle and infrastructure
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 3
Automotive digital
Analog
Digital
UART/USART RS-485 RS-232
Peripheral device interfaces
LIN
PSI5 DSI3
Main bus interfaces
CAN
Flexray 100Base-T1
Voltage Current
On-board (ECU) sensor Interfaces
USB I2C SPI
PWM SENT
Overview of wired interfaces
Networking between different systems in the vehicle
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 4
Overview of automotive wired digital interfaces
SENT 3-wire
Implementation costs
Dat
a ra
tes
[bit/
s]
10k
10M
1M
100k
Sensors & Embedded Control
CAN low 3/4-wire
FlexRay wire/optical
CAN FD CAN high
3/4-wire
100M
LIN 3-wire
1G
DSI3 2-wire PSI5
2-wire
SPI 6-wire
I2C 4-wire
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 5
Evolution of PSI5 Standard
Autoliv Bosch Continental
Siemens VDO
PAS3 / PAS4 only asynchron Peer 2Peer
PEGASUS synchron, Bus capability
PSI5 V1.3 June2008 open Standard
PSI5 V2.0 June 2011
Focus extended on Powertrain and Chassis
Focus on Airbag Systems
V2.1 October 2012
PSI5 V1.2 June 2007 open Standard
V2.2 August 2016
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 6
PSI5 Governing body
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 7
PSI5 specification structure
+
Base standard
Application specific substandard - Airbag - Chassis and Safety - Powertrain
Latest release v2.2 (August 2016)
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 8
Basic functionality
Sensor Data communication with Manchester-Coding - high Data Rate with 125kbit/s
(commercial options: 83kbit/s, 189kbit/s)
- flexible Payload Range (10 … 28bit) with Parity or 3bit CRC
› Different bus topologies possible
› asynchron Peer2Peer transmission
› synchronized Master-Slave Bus communication
› Parallelbus
› Daisy-Chain
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 9
Basic implementation
Physical layer Simple & safe circuitry Twisted pair cable Specified I/F networks for maximum flexibility and compatibility
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 10
PSI5 interface requirements
Safety - Reduced emmision - Signal robustness
- Error handling
Availability - Allows reuse/adaptation of existing developments for/in
automotive - Keeps being mantained
Functionality - Flexible system fulfilling different
needs and applications - Scalable and extendable (for
different data rates)
Robustness - Stable networking,
fast start- up - Data availability
Costs - Cost efficient components
- Cable and Harness - Low weight, little required
space, low power
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 11
PSI5 physical layer scope for safety & robustness
proposed scope of PSI5 safety consideration within PSI5 consortium
shiftregister
Control and timing
supply
“sensor”(see of gates,
mechanic, analog, …)
Receiver SensoruC
receiver logic
“receiver”(external interfacesupply,control
logic, …)
sensor supply
sync generation
depends partly on specific implementation
depends partly on specific implementation
PSI5 data
PSI5 GND
Cable
• Simple robust circuit • Twisted pair cable (recommendation) • Large SNR (determines „raw failure rate“)
Measures for data reliability
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 12
PSI5 data link layer scope for safety & robustness
‘1’ ‘1’ ‘0’‘0’‘0’‘0’ ‘1’ ‘1’ ‘0’‘0’‘0’‘0’
NRZ
Manchester
1st half bit
2nd half bit evaluation by receiver
0 0 detected failure 0 1 data bit = '0' 1 0 data bit = '1' 1 1 detected failure
Simple receiver / Manchester decoder with over-sampling factor 2
Redundant Transmission
Non Return to Zero
• Manchester encoded signal (corresponds to full redundant data transmission)
• pre-defined start bit pattern • failure detection by parity
check / CRC check (cyclic redundancy check code)
• gap bit (defined period of no transmission)
Measures for data reliability
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 13
PSI5 safety concept
half bit errors
Signal distortion
PSI5
inte
rfac
e sp
ecifi
catio
n phys
ical
da
ta li
nk
appl
icat
ion
Manchester Encoding
start bits, frame gap, parity/crc
current modulation, deterministic timing
error frames, initialization sequence
signal plausibility, redundant sensors, oversampling
residual system failure
random and systematic faults
bit errors
frame errors
system errors
PRES residual frame error probability
PE error Probability of Halfbits
PRES, Sys Residual system error probability
Error probability
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 14
Aspects of functional safety in system context
Final judgement on „safety goals“ can only be done on system level:
• residual failures regarding the LSBs might not be significant • Are there plausibility checks with other sensor signals? • How many subsequent data words cause a system failure? • Have filtering methods been implemented to supress „wrong data“? • Is oversampling being used?
further improvement of data reliability on system level
PRES: Residual error probability for one undetected corrupted data word System goal? What is critical on system level?
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 15
ISO26262 Fault Model and Failure Modes
Source: ISO26262, BL18 FDIS
fault
systematic fault
random fault
random environmental
fault
random hardware
fault
A systematic fault is a fault “whose failure is manifested in a deterministic way… … that can only be prevented by applying process or design measures” design and safety measures of PSI5 interface
A random fault
“can occur unpredictably during the lifetime of a hardware element and … … follows a probability distribution” Implementation specific consideration necessary
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 16
Systematic Failures within PSI5 Interface
Manchester decoding
deterministic data*
electric faults
mechanic faults
design faults
resistive (incl. short/ open), inductive and capacitive errors
wrong voltage and/or current levels
wrong timing for single bits, frames or sync periods
Systematic failures can be safely detected by means of PSI5 specification on system level
dete
ctio
n
operation faults
parity/CRC, start/stop-bits
*) Within the design of a PSI5 interconnection, it is predefined which data must be available (deterministic), missing data should be handled on system level.
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 17
Random (Env.) Failures within PSI5 Interface
0 10 0 1
S1 S0 PDnD0
0 10 0 1
S1 S0 PDnD0
0 10 0 1
S1 S0 PDnD0
0 10 0 1
S1 S0 PDnD0
nois
eof
fset
continious
0 10 0 1
S1 S0 PDnD0
0 10 0 1
S1 S0 PDnD0
sino
sida
lburst
• Error models to evaluate PSI5 robustness have been investigated • PSI5 capable withstanding all different error types.
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 18
Residual error rate with gaussian noise
Residual error probability <10-14 for SNR >14dB Comparable results for 10bit parity and 20bit CRC frames for SNR > 8dB
2 4 6 8 10 12 14 1610-16
10-14
10-12
10-10
10-8
10-6
10-4
10-2
PE
Manch (10 bit) 10 bit P 20 bit CRCbit
erro
r pro
babil
ity
SNR [dB]
=
⋅=
2221 SNRQuerfcPE
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 19
Safety overview
PSI5 interface provides means for systematic error detection and avoidance
The PSI5 interface shows very high data reliability
residual error probability <10-14 for SNR >14dB
system design defines raw bit error rate PE
parity check sufficient for small data words, CRC recommended for large data
frames
10bit parity and 20bit CRC frames have comparable PRES for SNR > 8dB
Presented methods and argumentations support conformity considerations
regarding ISO26262 for systems rated up to ASIL D.
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 20
Influence of disturbances on PSI5 signal
“Resonant Worst Case"
Long wires = High inductance Current modulation leads to
current oscillations & overshoots
"Capacitive Worst Case" High capacitive bus load Limitation of slope steepness
• For standard signal levels (∆IS=22…30mA) typical noise distortions (Gaussian type, as considered) are uncritical
• Margin can be used to compensate implementation dependent effects:
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 21
Critical implementation parameters
Digital Decoder
Sampling Comparator
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 22
Critical implementation parameters
Rise / Fall Times
Undershoot
Current Amplitude
Data Transmission Parameters: Sending current amplitude Data rate / bit length Slope steepness (20% - 80% rise- & fall-times) Undershoot current
Hardware Parameters: Sensor(s) capacitive load & resistance ECU capacitive load & resistance Cable inductance & resistance
IUnder- shoot
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 23
PSI5 – 2 nodes – 1.94m / 2.64m
ECU
S1 S2
1.94m 2.64m
189kbps
Nominal case: • rise time: 557 ns • over- & undershoot: 0%
Capacitive worst case: • rise time: 1144 ns
Resonant worst case: • overshoot: 3.6% • undershoot: -3.6% • rise time: 373 ns
Robust system operation expected
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 24
PSI5 – 2 nodes – 4.08m / 1.30m
ECU
S1 S2
4.08m 1.3m
189kbps
Nominal case: • rise time: 533 ns • over- & undershoot: 0%
Capacitive worst case: • rise time: 1144 ns
Resonant worst case: • overshoot: 12.8% • undershoot: -6.6% • rise time: 361 ns
Robust system operation expected
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 25
PSI5 – 3 nodes – 3.22m / 2.74m / 2.04m
Nominal case: • rise time: 533 ns • overshoot: 1.3% • undershoot: -3.35%
Capacitive worst case: • rise time: 1395 ns
Resonant worst case: • overshoot: 24.6% • undershoot: -11.4% • rise time: 352 ns
Robust system operation expected
ECU
S1 S2 S3
3.22m 2.74m 2.04m
189kbps
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 26
PSI5 – 4 nodes – 2.25m / 3.65m / 3.60m / 5.54m
ECU
S1 S2 S4 S3
2.25m 3.65m 3.60m 5.54m
189kbps
Nominal case: • rise time: 520 ns • overshoot: 11.2% • undershoot: -1.8%
Capacitive worst case: • rise time: 1618 ns
Resonant worst case: • overshoot: 43.3% • undershoot: -21.3% • rise time: 339 ns
Robust system operation expected
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 27
PSI5 outlook
Safety - Reduced emmision - Signal robustness
- Error handling
Availability - Allows reuse/adaptation of existing developments for/in
automotive - Keeps being mantained
Functionality - Flexible system fulfilling different
needs and applications - Scalable and extendable (for
different data rates)
Robustness - Stable networking,
fast start- up - Data availability
Costs - Cost efficient components
- Cable and Harness - Low weight, little required
space, low power
Vector Congress 2016 | Juan Pontes 29.11.2016 Page 28
SENT 3-wire
Implementation costs
Dat
a ra
tes
[bit/
s]
10k
10M
1M
100k CAN low
3/4-wire
FlexRay wire/optical
CAN FD CAN high
3/4-wire
100M
LIN 3-wire
1G
DSI3 2-wire PSI5
2-wire
SPI 6-wire
I2C 4-wire
PSI5 outlook
Availability - Allows reuse/adaptation of existing developments for/in
automotive - Keeps being mantained
Functionality - Flexible system fulfilling different
needs and applications - Scalable and extendable (for
different data rates) Costs
- Cost efficient components - Cable and Harness
- Low weight, little required space, low power