Researches on Fault Diagnosis of Time Master in TTCAN on Hybrid

Determinant factors of time interval for sending reference message in Time Triggered Controller Area Network, called TTCAN below, was analyzed. A software method for fault diagnosis and tolerance of time master was also proposed and the method was validated in a network of hybrid electric vehicle topology. The results indicate that it does work to monitor local time counter in each potential time master and to compare it with basic cycle to diagnose the fault of current time master and that it does make sense to set multi-potential time masters to get tolerance of current time master’s fault and to guarantee proper operation and reliability of TTCAN system. Keywords—TTCAN, Reference Message, Time Master, Hybrid Electric Vehicle, Fault Diagnosis


Introduction
New concepts and application in automotive electrical control systems such as x-by-wire systems require a time triggered communication mechanism in order to guarantee and to improve the real-time performance of the control system.As CAN is widely used in automotive application, BOSCH GmbH proposes TTCAN protocol [1] , ISO11898-4 [2] , which is in time triggered fashion based on CAN protocol and is of the same physical and data link layer as CAN.TTCAN protocol can prevent bus conflict between nodes by CAN's non-destructive bitwise arbitration mechanism and by CAN's fault confinement [3] and can take the full advantage of CAN bus.In a TTCAN network, all nodes time counter are synchronized by the reference message sent by time master, and time windows are used to realize that all messaged transmitted on bus are predictable in time [4] [5] .It is very significant and essential that the current time master works well to send its reference message periodically on time to synchronize all nodes' time counters, otherwise the TTCAN network can't be synchronized and the whole network will break down.So it is necessary to take measures to guarantee transmitting cycle of reference message and to make fault diagnosis and tolerance of time master in TTCAN.The transmitting mechanism of reference message was analyzed and the determinant factors of sending interval of reference message by time master was proposed which includes bus baud rate and reference message length and basic cycle length of system matrix.According to ISO11898-4 and basic principle of fault-tolerance system [6] , a software design method for fault diagnosis and tolerance of time master was proposed by setting multi-potential time masters to send its corresponding reference message in pre-defined priority at the time that a fault of current time master is diagnosed so as to keep continuity of reference message and normal operation of the system and also to improve the system reliability.

Determinants of Interval for Reference Message
As it is specified in ISO11898-4, each node in TTCAN gets access to the bus scheduled by system matrix [7] .The structure of system matrix is shown in figure1,of which the row is called basic cycle.The time master enables to synchronize all other nodes' local time counters besides itself by self-sending and self-receiving reference message, so the theoretical transmitting cycle of reference message is equal to a basic cycle.As shown above, t1 is the time duration of reference message on CAN bus which is calculated by formula t1=L/f, where L is the bit length of reference message and f is the bus baud rate.t2 is the interval for sending reference message programmed in software.As it is mentioned above, the theoretical value of reference message cycle is equal to the length of a basic cycle, t2 can be calculated by formula t2=BC-t1 if t1 is determined.So it can be concluded that the sending interval of reference message by time master is determined by three factors such as reference message length, bus baud rate and basic cycle length of system matrix.

Fault Diagnosis and Tolerance for Time Master
Frames in TTCAN network are sent in the corresponding time windows scheduled by system matrix and are free of conflict with each other.

Testing Program
Firstly, a CAN network in which the node is enabled of time synchronization function is chosen as the TTCAN network hardware system [8] .Each node's CAN controller [9][10] is programmed according to software flowchart as shown in figure3, which takes into account the time interval for sending reference message and fault diagnosis and tolerance method proposed above, and then the worst case in which each current time master is taken away from the bus in sequence deliberately is chosen to simulate the time master's fault.During the whole testing process, CANoe is connected to the bus in order to measure and to estimate performance of TTCAN network embedded with the fault diagnosis and tolerance mechanism.It is specified that there are at most 8 potential time masters allowed in TTCAN network in ISO11898-4, so a network of 500kbps baud rate and of 6 nodes in hybrid electrical vehicle powertrain topology which requires higher reliability is tested.Reference messages of different ID sent by the 6 potential time masters are illustrated in table1 as follows, and the smaller the value of ID is, the higher priority of the reference message is.
Table1: Reference Message of Different ID

Network with Two Potential Time Masters
In order to verify that the fault diagnosis and tolerance method for time master does make sense, only ISG node and IPU node are programmed to be potential time masters and the ISG is prior to IPU at first. Figure 4 shows the test result about reference message on the bus before and after ISG's fault.It can be concluded from figure5 that potential time masters can diagnose the current time master's fault and send the corresponding reference message.Besides, all reference messages sent by multi-potential time masters will be arbitrated by their priorities and only the potential time master which sends the reference message in top priority can occupy the bus to become the new current time master.It can also be concluded that the real-time performance of message EEC1 is not influenced by the current time master's fault and the entire network system is always in proper operation despite of the current time master's fault.

Conclusions
The determinant factors of time interval for sending reference message by time master and the feature of each node's local time counter were analyzed and a software design method for fault diagnosis and tolerance of time master was researched and proposed.And the method proposed has been verified in a network of hybrid electrical vehicle topology.The test results show that the method for fault diagnosis and tolerance of current time master proposed in this paper effects indeed to guarantee the entire network system in proper operation and to improve the reliability of entire TTCAN network.The conclusion points are as follows: • The time interval for sending reference message by time master is determined by three factors as bus baud rate and reference message length and basic cycle length in system matrix.
• It can be diagnosed that a fault has occurred in current time master if the value of each node's local time counter is larger than the basic cycle length by means of counting local time and comparing the local time with the basic cycle simultaneously in software design of potential time master.
• It does make sense that multi-potential time masters, which transmit the corresponding reference messages in pre-defined priority immediately a fault has occurred in current time master, are programmed in TTCAN network to confirm the continuity of reference message which is used to synchronize each node's local time and to realize the redundancy and fault tolerance for current time master and finally to improve the reliability of TTCAN network Figure1: TTCAN System MatrixThe actual transmission cycle of reference message called T in this paper consists of two parts as illustrated in figure2 and it is necessary to calculate the time interval for sending reference message by time master first in order to keep the actual transmission cycle equal to a basic cycle.t1 t2 T

Figure 3
Figure3 Software Flow of Potential Time Master with Fault Diagnosis and Tolerance Mechanism Suppose if all nodes in TTCAN are working well and the basic cycle is N bits length long and the instant value in each node's time counter is K bits length long, then if current time master is of no fault and in proper operation, each node's time counter will be reset and be synchronized at the end of each basic cycle, so the variable K will just vary from zero to N circularly, that is 0<K<=N.Otherwise, if current time master is in fault, all nodes in TTCAN can't receive reference message in time, the time counter can't get reset during a basic cycle and then the K in time counter will exceed N, that is K>N.So monitoring the range of variation of K in each local time counter and comparing it with basic cycle length N, it can be diagnosed that a fault in time master has occurred if the value K is larger than value N.
ref.1immediately as ISG is taken away from the bus.The test result indicates that the software design proposed can guarantee the potential time master to become the new time master to send corresponding reference message at the time a fault has occurred in the current time master.
Figure 4: Reference Message on The Bus Before And After ISG's Fault As shown in figure4, there is only ref.0 sent by ISG on the bus when ISG node is working properly, and the IPU can diagnose the ISG's fault and can send