Lessons Learnt on CAN
implementations
Luca Bolognino – ESA/ESTEC TEC-EDD – OBC&DH Section
15/06/2017
ESA UNCLASSIFIED - For Official Use
Outline
-
Units - Internal propagation delay analysis
-
DS16F95 – missing cold sparing capability
-
Failure propagation on RS485/CAN data lines
-
Lack of RS485 specification in ECSS
-
Feedbacks/Improvements
ESA UNCLASSIFIED - For Official Use
TEC-EDD | CAN in Space WS | 15/06/2017 | Slide 2
CAN - RS485 implementation
Propagation delay
Considering that CAN is pretty new in space, detailed WCA analysis must be requested to the
supplier, including IF schematics. The following breakdown can be used as guideline, but
shall be tailored according to the implemented circuit:
TX:
RX:
-
PCB delay from Connector to transceiver
- PCB delay from Connector to transceiver
-
Transceiver delay
- Transceiver delay
-
PCB delay from transceiver to level shifter
-
PCB delay from transceiver to level converter
-
Level shifter delay
-
Level converter delay
-
PCB delay from level shifter to FPGA/ASIC pin
-
PCB delay from level converter to FPGA/ASIC pin
-
FPGA/ASIC delays
-
FPGA/ASIC delays
A specific requirement shall be defined in the S/C CAN IRD in order to limit the maximum
propagation delay (TX+RX paths) in each unit to 200 ns (cable speed 4ns/m -> 40m ->320ns
-> sample point to 80%), considering a flight representative capacitance load.
ESA UNCLASSIFIED - For Official Use
TEC-EDD | CAN in Space WS | 15/06/2017 | Slide 3
CAN - RS485 implementation
•
Dual rank synchronizer on RX input is not implemented.
•
Inverter and mux for bus selection shall be implemented inside the FPGA logic.
• No level shifter shall be used and FPGA pins compatible to 5V shall be selected
(RTAX CAN RX pin shall be configured with clamp diode enabled to allow 5V input
tolerance).
• Hurricane TX bit is transmitted on the falling edge of the clock (Hurricane
“feature”). Resynchronization on the rising edge shall not be implemented (->
additional delay on the WC path).
• Rx path delay shall not include the uncertainty due to asynchronous CAN RX
signal arrival to FF sampling as CAN controllers work in “time quanta” mode.
•
High pass filter shall be implemented right at DS16F95 DE input pin.
ESA UNCLASSIFIED - For Official Use
TEC-EDD | CAN in Space WS | 15/06/2017 | Slide 4
CAN - RS485 implementation
•
DS16F95 Datasheet reports driver timings, assuming 15pF load.
In case of 40 m cable -> 2840pF -> DS16F95 tpzh ≈ 100 ns.
• Max bus length shall cover all constraints; onboard network length could be a
small part of the overall length if considering also AIT constraints (especially for
TVAC and EMC tests during which EGSEs are outside the chambers).
Moreover, Hurricane leads to waste one half time quanta before the nominal sampling point as
the output bits are transmitted half clock cycle later w.r.t. nominal timings.
ESA UNCLASSIFIED - For Official Use
TEC-EDD | CAN in Space WS | 15/06/2017 | Slide 5
CAN - RS485 implementation
- Inactive/”default” output Tx signals from mux shall be set to recessive state in
order to avoid jamming of the bus (even if a high pass filter is implemented before
the DS16F95 TX pin).
ESA UNCLASSIFIED - For Official Use
TEC-EDD | CAN in Space WS | 15/06/2017 | Slide 6
CAN - RS485 implementation
No cold sparing capability for DS16F95 transceiver:
“Electrical model” to evaluate effects in the units:
Not compatible with RTAX
maximum absolute ratings
ESA UNCLASSIFIED - For Official Use
TEC-EDD | CAN in Space WS | 15/06/2017 | Slide 7
Failure propagation on data interfaces
Failure propagation is, most of the times, NOT taken into account by the payload world.
Remark: verify that the maximum voltage emission and tolerance is specified for each
interface. TIA standards do not specify any limit, only ECSS.
Common mistake:
DC/DC
Transceiver
No overvoltage
protection implemented
ESA UNCLASSIFIED - For Official Use
TEC-EDD | CAN in Space WS | 15/06/2017 | Slide 8
Failure propagation on data interfaces
Proposed solution: LDO – Linear Regulators
DC/DC
LDO
Transceiver
However, the following points shall be justified:
-
maximum expected voltage on secondary lines in case of failure
-
maximum absolute rating of LDO input voltage
-
is the increase of power dissipation in the LDO due to overvoltage on secondary lines still within the derating values?
are all the loads connected to the LDO rated up to the input voltage of the LDO itself (in case of failure in short of LDO
mosfet)?
DC/DC
7V or +7V
(+LDO in failure)
ESA UNCLASSIFIED - For Official Use
Maximum abs ratings = 6V
LDO
3.3V CAN ISO
Transceiver
TEC-EDD | CAN in Space WS | 15/06/2017 | Slide 9
RS-485
No ECSS is covering this interface.
The DS16F95 SMD (absolute maximum ratings) allows +15/-10V (at bus inputs).
However, a maximum voltage emission above 7V implies to “break” the maximum
ratings for DS16F95 power supply. Maximum fault voltage emission for CAN ISO
and RS485 should be set to 7V.
ESA UNCLASSIFIED - For Official Use
TEC-EDD | CAN in Space WS | 15/06/2017 | Slide 10
Feedbacks/Improvements
•
CCIPC is an IP-core handling a “new/complex” protocol. But it removes the full validation of CANopen
protocol for “remote” terminals at unit and system level. However, a CANopen (not unit functional) and CAN
electrical validation test suite shall be defined.
•
CCIPC GUI shall not allow the generation of DCF, but should be only a converter from “correctly filled”
DCF and CCIPC configuration file.
•
CCIPC shall implement scrubbing for internal memories (according to EXM units radiation analysis, EXM
radiation environment is ok for no scrubbing) plus SEU protected registers (FPGA technology independent).
Aos/Mapping Parameters/RAM-based CCIPC ROM can be scrubbed externally, if needed.
•
Each CCIPC-based CAN slave should implement a cyclic TPDO, reflecting internal CCIPC errors (e.g.
double EDAC) and functional alive flag (toggling bit?) for system FDIR monitoring.
•
Only “BYTE” variables should be used to avoid endianess issues.
•
“Tuning” of CAN controller characteristics for master (e.g. automatic SYNC transmission based on OBT
pulse signal)
ESA UNCLASSIFIED - For Official Use
TEC-EDD | CAN in Space WS | 15/06/2017 | Slide 11