FSD230: SimpleCAN Implementation¶
Description¶
This document describes the implementation of the SimpleCAN protocol in Safety Simplifier.
Motivations¶
Safety simplifier operates in high demand continuous mode. |
See FSD350 SimpleCAN specification calculations. |
In simplecan_common.h, when data is received, the age is calculated. Before every logic tick, in canradio_update_age_timers, the age is checked. If the age is greater than the maximum age, the data is set to 0. |
Simplifier is compliant with 61508. |
Safety data is independent from non-safety data: safety checksum is calculated only on safety data. |
No acknowledgement used. |
Model A used for transmission and reception. |
The manual specifies how to use SimpleCAN with EN 11989-1. |
16 entries used in the SDD in Simplifier. These are mapped to 16 TX or RX IDs. |
Fatal errors are triggered directly from the SimpleCAN software implementation. |
16 node hashes are used to calculate the corresponding checksum for each TX/RX packet. |
The structure MM_CanConfig contains the safety configuration. It contains:
The node hashes are in MM_SimpleCAN_NetworkConfig. |
Hardware CRC with polynomial 04c11db7h is used. |
TX slot index determines when to transmit data. |
In simplecan_common.h, when data is received, the age is calculated. Before every logic tick, in canradio_update_age_timers, the age is checked. If the age is greater than the maximum age, the data is set to 0. |
PC software ensures the configuration contains two empty slots at the end of the cycle. |
Sync packets are sent the next cycle 200ms after last sync packet. |
simplecan_cfg_abort_sync_if_failed handles the abort of sync packets if failed. |
CPU1 forwards packets to CPU2 in model A. |
CPU1 handles the master determination. If a master with lower ID is heard, the current master is demoted to slave. If no master with lower ID is heard for 2000ms, the node takes over as master. |
If a node is master and hears a master with higher ID for 2000ms, it triggers fatal error. |
If a node can act as master it waits 200ms + 10*its lowest ID before sending the first time sync packet. If a lower ID is heard it switches to slave mode. |
If a node tried to send a sync packet and it fails it will back off and try again. |
All nodes start in unsynced state. |
Two time sync packets from the same master are required to enter synced state. |
12MHz 50ppm crystal is used. |
time_since_good_sync_ms checks this. |
CAN buffers are checked every ms. Max buffer time = 1ms. |
check_simplecan_config_or_fatal verifies configuration at startup. |
Configuration tool performs configuration download to SR devices in the network. |
Configuration tool reads back the configuration after download. |
Manual describes how to address SR devices on the network. |
Manual describes how to address SR devices on the network. |
Safety Simplfier can only be configured in configuration mode. |
SimpleCAN is not initialized in safe state. |
SimpleCAN is only initialized at normal mode startup. |
bad_rx_pkts_counter checks the number of packets with incorrect CRC per hour. |
Unauthorized access is checked for configuration via radio. Configuration directly via USB/CAN is not protected. |
Manual describes this in the SimpleCAN section. |
The age of all data is calculated and checked before every logic tick. The safety reaction time is configured for the SimpleCAN network by the user in the configuration tool. |
Manual describes this in the SimpleCAN section. |