Black Channel: Radio communication¶
Overview¶
Radio communication between Simplifier units are handled via a black channel. The packets sent out contains both a CRC (which CPU1 calculates), and a secure Chaskey hash (which CPU2 calculates). On the receving end, both CPUs checks the CRC and hash. The black channel thus begins directly at the SPI output of CPU1 (which communicates with the radio chip), and ends at the SPI end of CPU1 on the receiving node.
Tables¶
The black channel fulfills 61508-2 and 61784-3:2021, justified in this document, together with the RER calculations.
error type |
mitigation |
PASS |
Reference |
|---|---|---|---|
transmission errors |
Protected by 32-bit CRC |
TRUE |
CPU1:Module test 50 |
repetitions |
protected by sequence (frame) counter |
TRUE |
|
deletion |
As there is no state in the data, just update, deletion is not critical |
TRUE |
|
insertion |
protected by sequence (frame) counter and software verification |
TRUE |
|
re-sequencing |
no store/forward functionality or complex communication parts exist |
TRUE |
|
corruption |
Protected by 32-bit CRC |
TRUE |
CPU1:Module test 50 |
delay |
direct transmission without delays. Strict SW timing, internal timers (frame counter) that is checked. |
TRUE |
|
masquerade |
unique serial numbers for the whole system is seeding the CRC |
TRUE |
CPU1:Module test 50. TODO: should add a module test to verify if able to link up when change one unit serail number |
Verification |
mitigation |
Pass |
Reference |
|---|---|---|---|
D.4.3 ”De-Energize to trip” |
A communication timeout is implemented for receiving end |
TRUE |
Radio link time out is enough. |
D.4.4 ”Safe state” |
Loss of packets sets all signals to ”OFF”, which is safe state for them |
TRUE |
See FSD300: check all the correspond node memories be clear to 0. |
D.4.5 ”Transmission errors” |
CRC mismatch is handled as lost packet |
TRUE |
See FSD300: check all the correspond node memories be clear to 0. |
D.4.6 ”Safey reaction and response times” |
The communication timeout is configured according to the application requirements |
TRUE |
See FSD300: check all the correspond node memories be clear to 0. |
error type |
mitigation |
PASS |
Reference |
|---|---|---|---|
5.4.2 Sequence number |
frame nr used |
TRUE |
|
5.4.3 Time Stamp |
frame nr is calculated internally as a timestamp too |
TRUE |
|
5.4.4 Time expectation |
Timing is calculated internally in every node and checked |
TRUE |
|
5.4.5 Connectin authentication |
Sending node ID together with unique serial number is checked. |
TRUE |
See FSD300: check all the correspond node memories be clear to 0. |
5.4.6 Feedback msg |
As no state, feedback is not used |
TRUE |
|
5.4.7 Data integrity |
32-bit CRC |
TRUE |
CPU1:FSD300 Module test |
5.4.8 Redundancy with cross checking |
All safety information is also used as inverted data to seed CRC |
TRUE |
See FSD300: check all the correspond node memories be clear to 0. |
5.4.9 Different data integrity assurance systems |
Debug data is sent within the same packet (radio), or as a different node ID (CAN). For CAN, no extra 32-bit CRC is calculated at all. |
TRUE |
Residual Error Rate¶
RER requirements are stated in 61784-3:2021, 5.8.5.
Reference the RER for detailed calculation.
Radio communication is handled in sheet “2. SmallPacket”.
Revision History¶
Date |
By |
Version |
Description |
|---|---|---|---|
2025-08-01 |
Jesper Ribbe |
V01 |
Initial version |