psi5: safety & latest developments - vector · pdf filevector congress 2016 | juan pontes...

Vector Congress 2016

PSI5: Safety & latest developments

Juan Pontes, Robert Bosch GmbH | 29.11.2016

Vector Congress 2016 | Juan Pontes 29.11.2016

Vehicle as networking platform

Networking between different vehicles

Networking between different systems in the vehicle

Networking between vehicle and infrastructure


Automotive digital

Analog

Digital

UART/USART RS-485 RS-232

Peripheral device interfaces

LIN

PSI5 DSI3

Main bus interfaces

CAN

Flexray 100Base-T1

Voltage Current

On-board (ECU) sensor Interfaces

USB I2C SPI

PWM SENT

Overview of wired interfaces

Networking between different systems in the vehicle


Overview of automotive wired digital interfaces

SENT 3-wire

Implementation costs

Dat

a ra

tes

[bit/

s]

10k

10M

1M

100k

Sensors & Embedded Control

CAN low 3/4-wire

FlexRay wire/optical

CAN FD CAN high

3/4-wire

100M

LIN 3-wire

1G

DSI3 2-wire PSI5

2-wire

SPI 6-wire

I2C 4-wire


Evolution of PSI5 Standard

Autoliv Bosch Continental

Siemens VDO

PAS3 / PAS4 only asynchron Peer 2Peer

PEGASUS synchron, Bus capability

PSI5 V1.3 June2008 open Standard

PSI5 V2.0 June 2011

Focus extended on Powertrain and Chassis

Focus on Airbag Systems

V2.1 October 2012

PSI5 V1.2 June 2007 open Standard

V2.2 August 2016


PSI5 Governing body


PSI5 specification structure

+

Base standard

Application specific substandard - Airbag - Chassis and Safety - Powertrain

Latest release v2.2 (August 2016)


Basic functionality

Sensor Data communication with Manchester-Coding - high Data Rate with 125kbit/s

(commercial options: 83kbit/s, 189kbit/s)

- flexible Payload Range (10 … 28bit) with Parity or 3bit CRC

› Different bus topologies possible

› asynchron Peer2Peer transmission

› synchronized Master-Slave Bus communication

› Parallelbus

› Daisy-Chain


Basic implementation

Physical layer Simple & safe circuitry Twisted pair cable Specified I/F networks for maximum flexibility and compatibility


PSI5 interface requirements

Safety - Reduced emmision - Signal robustness

- Error handling

Availability - Allows reuse/adaptation of existing developments for/in

automotive - Keeps being mantained

Functionality - Flexible system fulfilling different

needs and applications - Scalable and extendable (for

different data rates)

Robustness - Stable networking,

fast start- up - Data availability

Costs - Cost efficient components

- Cable and Harness - Low weight, little required

space, low power


PSI5 physical layer scope for safety & robustness

proposed scope of PSI5 safety consideration within PSI5 consortium

shiftregister

Control and timing

supply

“sensor”(see of gates,

mechanic, analog, …)

Receiver SensoruC

receiver logic

“receiver”(external interfacesupply,control

logic, …)

sensor supply

sync generation

depends partly on specific implementation

depends partly on specific implementation

PSI5 data

PSI5 GND

Cable

• Simple robust circuit • Twisted pair cable (recommendation) • Large SNR (determines „raw failure rate“)

Measures for data reliability


PSI5 data link layer scope for safety & robustness

‘1’ ‘1’ ‘0’‘0’‘0’‘0’ ‘1’ ‘1’ ‘0’‘0’‘0’‘0’

NRZ

Manchester

1st half bit

2nd half bit evaluation by receiver

0 0 detected failure 0 1 data bit = '0' 1 0 data bit = '1' 1 1 detected failure

Simple receiver / Manchester decoder with over-sampling factor 2

Redundant Transmission

Non Return to Zero

• Manchester encoded signal (corresponds to full redundant data transmission)

• pre-defined start bit pattern • failure detection by parity

check / CRC check (cyclic redundancy check code)

• gap bit (defined period of no transmission)

Measures for data reliability


PSI5 safety concept

half bit errors

Signal distortion

PSI5

inte

rfac

e sp

ecifi

catio

n phys

ical

da

ta li

nk

appl

icat

ion

Manchester Encoding

start bits, frame gap, parity/crc

current modulation, deterministic timing

error frames, initialization sequence

signal plausibility, redundant sensors, oversampling

residual system failure

random and systematic faults

bit errors

frame errors

system errors

PRES residual frame error probability

PE error Probability of Halfbits

PRES, Sys Residual system error probability

Error probability


Aspects of functional safety in system context

Final judgement on „safety goals“ can only be done on system level:

• residual failures regarding the LSBs might not be significant • Are there plausibility checks with other sensor signals? • How many subsequent data words cause a system failure? • Have filtering methods been implemented to supress „wrong data“? • Is oversampling being used?

further improvement of data reliability on system level

PRES: Residual error probability for one undetected corrupted data word System goal? What is critical on system level?


ISO26262 Fault Model and Failure Modes

Source: ISO26262, BL18 FDIS

fault

systematic fault

random fault

random environmental

fault

random hardware

fault

A systematic fault is a fault “whose failure is manifested in a deterministic way… … that can only be prevented by applying process or design measures” design and safety measures of PSI5 interface

A random fault

“can occur unpredictably during the lifetime of a hardware element and … … follows a probability distribution” Implementation specific consideration necessary


Systematic Failures within PSI5 Interface

Manchester decoding

deterministic data*

electric faults

mechanic faults

design faults

resistive (incl. short/ open), inductive and capacitive errors

wrong voltage and/or current levels

wrong timing for single bits, frames or sync periods

Systematic failures can be safely detected by means of PSI5 specification on system level

dete

ctio

n

operation faults

parity/CRC, start/stop-bits

*) Within the design of a PSI5 interconnection, it is predefined which data must be available (deterministic), missing data should be handled on system level.


Random (Env.) Failures within PSI5 Interface

0 10 0 1

S1 S0 PDnD0

0 10 0 1

S1 S0 PDnD0

0 10 0 1

S1 S0 PDnD0

0 10 0 1

S1 S0 PDnD0

nois

eof

fset

continious

0 10 0 1

S1 S0 PDnD0

0 10 0 1

S1 S0 PDnD0

sino

sida

lburst

• Error models to evaluate PSI5 robustness have been investigated • PSI5 capable withstanding all different error types.


Residual error rate with gaussian noise

Residual error probability <10-14 for SNR >14dB Comparable results for 10bit parity and 20bit CRC frames for SNR > 8dB

2 4 6 8 10 12 14 1610-16

10-14

10-12

10-10

10-8

10-6

10-4

10-2

PE

Manch (10 bit) 10 bit P 20 bit CRCbit

erro

r pro

babil

ity

SNR [dB]

=

⋅=

2221 SNRQuerfcPE


Safety overview

PSI5 interface provides means for systematic error detection and avoidance

The PSI5 interface shows very high data reliability

residual error probability <10-14 for SNR >14dB

system design defines raw bit error rate PE

parity check sufficient for small data words, CRC recommended for large data

frames

10bit parity and 20bit CRC frames have comparable PRES for SNR > 8dB

Presented methods and argumentations support conformity considerations

regarding ISO26262 for systems rated up to ASIL D.


Influence of disturbances on PSI5 signal

“Resonant Worst Case"

Long wires = High inductance Current modulation leads to

current oscillations & overshoots

"Capacitive Worst Case" High capacitive bus load Limitation of slope steepness

• For standard signal levels (∆IS=22…30mA) typical noise distortions (Gaussian type, as considered) are uncritical

• Margin can be used to compensate implementation dependent effects:


Critical implementation parameters

Digital Decoder

Sampling Comparator


Critical implementation parameters

Rise / Fall Times

Undershoot

Current Amplitude

Data Transmission Parameters: Sending current amplitude Data rate / bit length Slope steepness (20% - 80% rise- & fall-times) Undershoot current

Hardware Parameters: Sensor(s) capacitive load & resistance ECU capacitive load & resistance Cable inductance & resistance

IUnder- shoot


PSI5 – 2 nodes – 1.94m / 2.64m

ECU

S1 S2

1.94m 2.64m

189kbps

Nominal case: • rise time: 557 ns • over- & undershoot: 0%

Capacitive worst case: • rise time: 1144 ns

Resonant worst case: • overshoot: 3.6% • undershoot: -3.6% • rise time: 373 ns

Robust system operation expected


PSI5 – 2 nodes – 4.08m / 1.30m

ECU

S1 S2

4.08m 1.3m

189kbps

Nominal case: • rise time: 533 ns • over- & undershoot: 0%





PSI5 – 3 nodes – 3.22m / 2.74m / 2.04m

Nominal case: • rise time: 533 ns • overshoot: 1.3% • undershoot: -3.35%




ECU

S1 S2 S3

3.22m 2.74m 2.04m

189kbps


PSI5 – 4 nodes – 2.25m / 3.65m / 3.60m / 5.54m

ECU

S1 S2 S4 S3

2.25m 3.65m 3.60m 5.54m

189kbps

Nominal case: • rise time: 520 ns • overshoot: 11.2% • undershoot: -1.8%





PSI5 outlook

Safety - Reduced emmision - Signal robustness

- Error handling





different data rates)

Robustness - Stable networking,

fast start- up - Data availability

Costs - Cost efficient components

- Cable and Harness - Low weight, little required

space, low power


SENT 3-wire

Implementation costs

Dat

a ra

tes

[bit/

s]

10k

10M

1M

100k CAN low

3/4-wire

FlexRay wire/optical

CAN FD CAN high

3/4-wire

100M

LIN 3-wire

1G

DSI3 2-wire PSI5

2-wire

SPI 6-wire

I2C 4-wire

PSI5 outlook





different data rates) Costs

- Cost efficient components - Cable and Harness

- Low weight, little required space, low power

psi5: safety & latest developments - vector · pdf filevector congress 2016 | juan pontes...

Documents