The Vehicle Power Line as a Redundant Channel for CAN Communication
Yair Maryanka, Ofer Amrani, Amir Rubin
Yamar Electronics Ltd.
Automotive safety applications require communication reliability whose level is much higher than currently achievable by using a Controller Area Network (CAN) whose nodes are interconnected via twisted pair cables. Using the automotive power line as a redundant communication channel for the CAN network, provides increased reliability without the additional weight, space and wiring required by a solution employing a second CAN network. This paper proposes an architecture according to which a redundant physical channel for the CAN network is obtained by using the existing battery power lines. The redundant communication activity is part of the Secure Propulsion using Advanced Redundant Control (SPARC) project, funded by the European commission and coordinated by DAIMLERCHRYSLER AG.
I. INTRODUCTION and Motivation
A. CAN redundancy in FP6 SPARC project.
The goal of the European sixth framework program (FP6) SPARC project is to substantially improve traffic safety and efficiency for vehicles carrying heavy goods by using intelligent x-by-wire technologies in the power-train. To provide this standardized concept, an automotive Software/Hardware platform is currently being developed. It is scalable and usable from heavy-goods vehicles down to small passenger cars and can be integrated therein . As part of the project, trailers will be autonomous units in the sense that they will house their own “intelligence and control mechanism”. This in turn calls for a reliable and a redundant link between the truck and its “intelligent” trailer.
The CAN protocol over twisted pair physical medium is widely used in automotive applications. Fault tolerant CAN transceivers allow network operation even if one of the twisted pair lines is not functioning. However, for safety applications, communication must be robust enough to withstand potential mechanical and electrical failures not usually tended by the CAN transceiver. These include: one-wire interruption, one-wire short-circuit either to power or ground, two-wire short-circuit, termination failure  and various noises.
B. DC Power line communications
Clearly, the wires distributing the DC power are critical for the vehicle’s operation. They are, therefore, highly robust (mechanically) and can provide a relatively fail-safe communication channel when properly used. Employing battery power lines for communications is a most challenging task. This is due to the time varying nature of the impedance, the attenuation as well as various channel noises. Moreover, these impairments are location dependent. Power line communications is achieved by employing a transceiver specially designed to work over the automotive DC power lines. The transceiver is discussed in Section III.
Communicating over the power line as a redundant channel for CAN messages, maintains the required system performance and transmission delays while increasing network reliability. The reliability level achieved by using the proposed redundant architecture is sufficient for safety applications.
From a CAN node point of view, transmitting a CAN message over a power-line, or over a CAN twisted pair, appears to be the same. In more “practical” terms, in both cases the message is simply written into the so-called transmit buffer of the CAN controller.
This paper describes how power line communication (PLC) can be employed for redundant CAN communication over the existing DC power lines. Transmitting CAN messages over the power line avoids complex cabling, thus reducing weight and greatly simplifying installation, while maintaining CAN user format. The PLC provides a redundant channel over DC cables at communication rates of up to 500Kbps.
II. Redundant CAN communication
As mentioned above, the fault tolerance mechanism of CAN networks does not provide reliable communication in various real-life situations such as: disconnected nodes, stuck at dominant or recessive nodes and simultaneous interruption of both wires in the network cabling . For safety applications normal operation is required at all times, therefore redundancy is required.
To achieve true redundant communication, a message has to be transmitted over independent channels. Thus, if a message fails to be correctly received via one of the channels due to mechanical or electrical disruption, it will, with high probability, be correctly received via the other channel (as it is unlikely that both channels are simultaneously faulty).
A. Network access handling
According to a traditional CAN operation, a CAN message is written to the transmit-buffer of its CAN controller; after inserting stuffing bits and additional required fields such as CRC coding, the CAN message is ready to be transmitted over the physical layer. The CAN network is a multiple access network, supporting distributed mode operation. Consequently, providing redundant communication over two independent physical layers, while obeying the CAN protocol, calls for special considerations.
Redundant CAN communication suffers from an inherent problem according to which different nodes can simultaneously win arbitration over two different channels. This problem occurs regardless of the specific type of physical channel used. That is, the problem occurs if power line communication is used, or if a second twisted-pair CAN channel is used as the means for providing redundancy. Consequently, operating with redundant CAN channels requires a deterministic mechanism, or a network arbitrator (controller) to properly monitor and determine transmission and wakeup scheduling (in which arbitration is often exclusively used). As a result, bus arbitration procedure, is no longer performed on a per-node basis, rather, the network is forced to switch to a centralized operation mode. The bus controller will grant access permissions and allocate channel resources according to a predefined set of priority rules. The rules are based on specific node identification and message types. This mode of operation effectively eliminates collisions, and is thus expected to allow for more efficient bus utilization. Notably, when too many transmission or reception failures occur, as defined by the CAN protocol, a CAN node is removed from the network. Introducing redundancy may prevent such catastrophic events.
III. USING A PLC TRANSCEIVER FOR REDUNDANT CAN COMMUNICATION
A special PLC transceiver for working over DC power lines has been developed. This transceiver is designed while taking into account the specific noise and impedance characteristics of the automotive battery line.
A. The PLC transceiver
The PLC transceiver is a smart device designed for message multiplex networking over the noisy DC power line. Each network is made up to 16 devices (nodes). Each device can transmit (arbitrary length) messages to other devices in the same network at two alternative bit rates: 500Kbps or 300Kbps (for enhanced robustness). To allow high-speed operation, the transceiver is a message-oriented device, thus the effect of overhead can be effectively minimized. The PLC transceiver uses narrow-band channels operable in selectable frequencies ranging between 2 and 12MHz. This narrow-band approach allows for autonomous coexistence of several independent networks over the same DC wire. The PLC device handles the communication physical layer and part of the link layer. It interfaces with its host micro controller via a Serial Peripheral Interface (SPI), or optionally a UART. In its basic form, the PLC device is designed for a multiple access network using an innovative carrier-sense multiple-access with collision avoidance (CSMA-CA).
B. Redundant CAN network
Figure 1 illustrates the proposed architecture according to which a redundant physical channel for the CAN network is obtained by using the existing battery power lines. Figure 1 describes three redundant CAN processors (which are out of the scope of this paper). Each of the processors has a CAN port and a SPI port. The two ports are used simultaneously to transmit and receive messages. The CAN port uses twisted-pair as its physical layer while the SPI port communicates over the DC power line, which is connected anyway to supply the power for operation. It eliminates the need for extra wiring, which is significantly important in various scenarios such as in a truck-trailer.
Figure 1 – Redundant CAN network
A natural interface between the CAN host and the PLC transceiver would be to use the CAN message itself.
Figure 2 illustrates this approach and also shows the arbitration process over the power line. The left screen in figure 2 represents the transmitter side, while the right screen represents the receiver side. The upper trace in Figure 2 (left) represents the incoming CAN message to the PLC transceiver, while the bottom trace shows the resulting signal as transmitted over the power line. Note, that the first incoming bits of the CAN message are the CAN Identifier bits which are used to generate the arbitration sequence shown in the bottom trace. In this project we decided not to use the CAN interface approach as it introduces undesirable latency – the PLC message is longer than the CAN message.
Our experience showed that utilizing the SPI for the redundant channel communication with the host is more efficient, allowing a Host with a single CAN interface to be used for the traditional CAN transceiver. The SPI provides fast data transfer between the Host and the PLC transceiver; limiting the latency and allowing usage of only one CAN controller. In other words, a host controller having a single SPI port and a single CAN port will do. Figure 4 demonstrates the advantage of using SPI.
Figure 2 – CAN message with arbitration over power line
C. CAN-PLC message flow
The CAN message for transmission is simultaneously stored in the CAN Tx-buffer and the SPI Tx-buffer. The CAN massage is handled by the CAN controller according to the CAN protocol and then transmitted via the twisted pair physical layer. At the receiver side, the CAN controller handles the message, again, according the CAN protocol.
The CAN message in the SPI buffer is transferred to the PLC transceiver at a high speed of 4-20Mbps (depending on the host processor clock). The PLC transceiver begins the transmission of the message, over the power line, with a preamble followed by the content of the CAN message, and an additional PLC checksum. The PLC transceiver further protects all this data with its own error correction code (ECC) combined with interleaving. The receiving transceiver handles the ECC, computes the checksum and transfers the message to its host. Figure 3 describes the CAN and the PLC messages.
Figure 3 – CAN and PLC message construction
Figure 4 shows the CAN message pass to the transceiver at high speed using the SPI interface. The message is transmitted over the power line. On the left hand side of Figure 4, the received message is shown attenuated and a certain impulse noise is clearly visible. Upon completing the reception, the transceiver passes the message content to its host using the SPI interface. The transceiver also informs the host if a ECC or checksum error has been detected. The centralized operation mode of the network ensures the integrity of the data flow.
Figure 4 – Message with SPI I/F over the power line
D. CAN-SPI software driver
In traditional CAN operation, both transmit and receive messages are stored in host dedicated buffers. A CAN message consists of up to 13 bytes: 2 or 4 bytes of the identifier, up to 8 bytes of data and one byte of message length.
A software driver allows simple interface between the host and its CAN and SPI receive buffers. Upon receiving a message over the power line, a PLC transceiver generates an interrupt to its host. It fetches (through the SPI) the message bytes and stores them in the SPI-Rx-buffer. CAN controller performs the same process on the received CAN message.
The driver handles the Rx errors detected on both CAN and SPI channels (including checksum that is automatically added to every message by the PLC transmitter) and a decision-logic decides which of the received messages will be transferred to the host, as will be described below.
E. Error detection and correction
The PLC transceiver protects its data by a forward Error Correction Code (ECC) mechanism designed to overcome errors caused by typical DC line impairments. Two code mechanisms are implemented. The first allows for 500Kbps-net operation, and an enhanced error protection for 300Kbps-net operation. Note that the actual symbol rate over the DC line is much higher than the aforementioned rates as the PLC transceiver uses a modified Golay code as forward error correction code combined with interleaving. This Interleaved-Golay code is designed to handle up to 6 consecutive errors (an error burst), while also providing excellent correction capabilities for random noise (due to the correction capabilities of the (23,12,7) Golay code). Uncorrectable errors are detected by the checksum that is added automatically to each transmitted message as described in Subsection 3.C.
Next, we discuss the error detection mechanism of the complete redundant system. As described above, every CAN message is simultaneously transmitted over two channels; dedicated twisted-pair channel and the DC power line.
The most favorable situation is when a host correctly receives both transmissions. This case is easy to identify as follows: if both the CAN and the PLC indicate no errors, and the content of the message is identical, then the host regards the received message as “most reliable”. (Note that the event where the two messages are erroneously detected as correct, on top of having identical content, is practically impossible).
The second possible event is where the message is correctly detected by one of the receivers. In that case, the correct transmission is selected. Correct transmission, in that case, is declared according to the message check-sum. Unlike the previous case, the probability of false detection in this case is solely determined by the probability of a single checksum being erroneously detected as correct and as function of the probability of receiving uncorrected error. This obviously depends on the code and the channel conditions.
It is assumed that such probability is very small. However, even if a message is erroneously detected as correct, the content of the two messages is unlikely to be identical. Since the content of the messages is always compared, this event will be detected (with high probability) and the two messages will be discarded. This occurs when the two receivers indicate that the message is correct, yet one of the indications is faulty.
Finally, the most undesirable scenario is when both messages are received with errors (or if they are not received at all for that matter). The main purpose of this work is to effectively minimize the probability of such events. Assume that the probability of undetected error (per channel) is negligible. Denote the probability of (detected) error by PCAN, and PPLC, for the CAN network and the PLC network, respectively. It is trivially known that the probability of both received messages being in error, assuming that the two channels are statistically independent, is given by PCAN PPLC. Thus, transmission reliability can be significantly improved.
F. Latency considerations
An eight byte CAN message at 250Kbps along with its extensions consists of anywhere between 130 (not including the stuffing bits) and 151 bits. Transmitting this message over the CAN network takes between 520uS to 604uS. Same CAN message transmitted via the PLC transceiver will take between 474uS, and 565uS (when an optional extended ECC is used). Therefore, using the power lines combined with the PLC network does not introduce any additional latency problems.
The automotive DC-power lines can be employed for providing either an alternative, or a redundant communication channel for the CAN twisted-pair network. It allows an efficient transfer of CAN messages via an independent physical layer.
In a stand-alone operation, i.e. when used as the primary network, the PLC transceivers are designed to operate in a distributed mode (CSMA-CA). On the other hand, when PLC is used as a redundant network, the transceivers must obey a bus arbitrator (controller) in order to avoid collisions. This is so, because message scheduling is dictated by the CAN network for which the PLC operation must be transparent.
 DCB500 data sheet. Yamar Electronics Ltd.
 Jose’ Rufino. Redundant can architecture for dependable communication. Cstc technical report rt-97-07. December 1997
 Wolfhard Lawrenz. CAN System Engineering. Springer. ISBN 0-387-94939-9
 SPARC – www.eu-sparc.net
 A. Schiffer, “Statistical Channel and Noise Modeling of Vehicular DC-Lines for Data Communication”, in Proc. Vehicular technology conference VTC-2000, Japan, pp. 158-162, Spring 2000.
The authors can be reached at Yamar Electronics.
Yair Maryanka Yair@yamar.com – BSc. Electrical engineering, founder of Yamar Electronics Ltd. holds several patents in the field of digital communications.
Ofer Amrani Ofer@yamar.com – PhD. Electrical engineering and an Academy person in the fields of communication and coding in Tel Aviv University.