# Study on the system of real-time and fault tolerance of steering by wire electric car flexray

# Zhuan You<sup>1</sup>

Abstract. With the development of automotive electronics, more and more people use the wire control technology to overcome the defects of the traditional mechanical equipment and the hydraulic control system and to improve the handling stability, safety and comfort of the vehicles. FlexRay bus is a new advanced communication technology that aims to control the vehicle speed, and it has already been used in the concept vehicle. In order to further explore the potential of FlexRay when applied in the automotive industry, in this paper, we focus on the FlexRay communication module of the Steer-by-wire (SBW) System, and analyze and improve the complex part or deficiency of the protocol. Finally, we make the module's communication function be well enough to ensure the real time and fault tolerance function of the SBW system. Through the monitoring of communication controller and bus monitor scheduling, we could make sure that the node only get access to the bus at the correct point, thus to provide theoretical basis of achieving bus monitoring capacity for the FlexRay.

Key words. FlexRay, Steer-by-wire, Optimal scheduling, Clock synchronization, Bus monitor, Fault tolerance

## 1. Introduction

Automotive steering system is the key factor to improve the handling stability of the vehicle and to reduce the driver's controlling load and to improve the performance of the Driver-vehicle Closed-loop System. According to the steering power source, the steering system can be divided into mechanical steering system and power steering system [1]. In mechanical steering system, we take the driver's physical power as power source. Besides, we use mechanical transmission components, but due to the small output of the steering torque, the scope of application should be

 $<sup>^1 \</sup>rm Department of Automobile Engineering, Huaian College of Information Technology, Huaian, Jiangsu 223003, China$ 

limited. Power steering system, based on the mechanical steering system, it added a steering power assisting device. Therefore, it takes the driver physical strength and the power of the motor as steering power source. According to the different ways of providing power, we could divide the systems into Hydraulic Power Steering, namely HPS, Electronically Hydraulic Power Steering System, namely EHPS, Electric Power Steering, namely EPS and Steer-by-Wire, namely SBW.

The fundamental difference among Steer by wire and other steering systems lies in that it cancelled the mechanical or hydraulic connecting device between the steering wheel and the turning wheel, thus it breaks through fixed transmission ratio limit of the meshing gear, and reduces the total clearance among the inertial, friction and transmission parts of the system, and finally improves the response speed and response accuracy of the system.

Domestic research mainly focuses on algorithms related to Steer-by-Wire system, such as the algorithms of return torque and stability of the steering wheel. Domestic research doesn't form in-depth research of the communication protocol used in the system. And, FlexRay is through accurate and high speed communication network protocol to meet the requirements of SBW system when there are fault tolerance and time uncertainty of the message transmission, thus to improve the controllability, stability and safety of car handling. Therefore, the research of the SBW system's communication network is a research in a new field, and it is also crucial to improve the vehicle performance and gradually makes it more intelligent.

#### 2. Improvement of FlexRay clock synchronization algorithm

FlexRay adopts the distributed clock synchronization mechanism. The clock synchronization of the normal nodes in the network is less affected by the error nodes (including synchronous nodes and non synchronous nodes). Therefore there is robustness in the system. The host of which the error nodes results of clock synchronization mechanism, namely, *zSyncCalcResult*status, to transfer the nodes from POC: normal active state to POC: normal active state or POC: halt state. And the detailed methods could is shown in Table 1.

| zSyncCalcResult | function                                                                                           | Deal with<br>the time | POCstate                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
|-----------------|----------------------------------------------------------------------------------------------------|-----------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| WITHIN_BOUNDS   | There is no error in<br>clock synchroniza-<br>tion algorithm                                       | odd-period            | Maintain or come into POC: normal ac-<br>tive state                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| MISSING_TERM    | phase correction<br>value or frequency<br>correction value has<br>not been calculated<br>out       | odd-period            | greater than or equal to $zSync$ -<br>$CalcResult = MISSING_TERM$ of<br>odd-periodic: $gMaxWithoutClockCor-$<br>rection-Fatal, thus into POC: halt<br>state; greater than $gMaxWithoutClock-$<br>CorrectionPassive and at the same<br>time less than $zSyncCalcResult =$<br>$MISSING_TERM$ of odd-periodic:<br>gMaxWithoutClockCorrectionFatal,<br>thus into or maintain POC: normal<br>passive state; In other cases, main-<br>tain POC: normal active state(1<=<br>gMaxWithoutClockCorrectio- $nPas-sive<=gMaxWithoutClockCorrectioFatal<=15$ ) |
| EXCEEDS_BOUNDS  | phase correction<br>value and fre-<br>quency correction<br>value are greater<br>than limited value | Odd/even<br>periods   | Into POC: halt state                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |

Table 1. Error handling of clock synchronization algorithm

#### 2.1. Phase deviation state diagram

In the description of clock synchronization state diagram, we usually adopt the transmission delay description method[9], namely use the transmission delay of the time stamp between two nodes to form the edge of the clock synchronization state diagram. However, with the development of modern network technology and the expansion of the scope of the clock synchronization, the information transmission appears to be sudden and intermittent, so it is difficult for us to accurately estimate the time stamp of the transmission delay. Due to the fact that the clock drift rate is more stable than the transmission delay of time stamp, we take the phase deviation as the basis of generating state diagram. The application of continuous time interval is more accurate than real-time interval, and it could conduct real-time and dynamic evaluation on the performance of clock synchronization. Besides, the application of continuous time interval could determine the system stability by exchanging the information of phase deviation state diagram, so as to improve the accuracy of clock synchronization in the network.

As shown in Figure 1, we assume that that the nodes i, j, k, l are the synchronization nodes in the FlexRay network. We establish the phase offset trend equation  $y = P \times x + C$  by the least square method. In this equation, x stands for phase deviation, weight P stands for change rate of x, namely the node's clock drift rate.



Fig. 1. Phase deviation state diagram

If the weights between synchronization nodes i and j meet the equation  $P_{ij} = -P_{ji}$  (the weight  $P_{ij}$  is the j clock drift rate when i is taken as reference node), namely  $|P_{ij}| = |P_{ji}|$ , which means the clock drift rate of node i equals to that of node j, and the clock synchronization of the two nodes are stable, and through continuous clock correction the phase deviation can be synchronously reduced. Therefore, when there is no synchronization node error in the network, the whole phase deviation state diagram will be stable. If there is an exception in the clock synchronization nodes, then the weight values in the figure that take the node as the starting point and the end point will be changed.

#### 2.2. The dynamic detection method synchronous node

There are at least three synchronization nodes in the FlexRay network, and each synchronization node sends or receives the synchronization frame in static segment (namely the ST segment). Under normal circumstances, if there is a synchronization node error, we should use the method of dealing with non synchronous node to deal with it, namely through judging the value and count value of the error cycle of zSyncCalcResul to make the node from being POC: normal active state to the POC: passive state or POC: halt state. If the synchronization node enters the normal POC: normal state, then it is forbidden to send the synchronization frame, but it still could receive the frame; if the synchronization node enters the POC: halt state, then we should re initialize the node. Although the synchronization error could not paralyze the clock synchronization. In order to reduce this kind of influence, by exchanging the information of the phase deviation state diagram, we should conduct active detection towards the synchronous nodes and evaluate the stability of the network, thus to improving the accuracy of the clock synchronization.

Take FlexRay network in Figure 1 as an example, and table 2 shows the synchronous frame transmission time slot and the content in the load period.

Table 2. Transmission time slot and content of the synchronization frame

| NODE                                                  | i                        | j                        | k                        | l                        |
|-------------------------------------------------------|--------------------------|--------------------------|--------------------------|--------------------------|
| Synchronous frame transmission time slot              | slot1                    | slot2                    | slot3                    | slot4                    |
| Transmitted content of the syn-<br>chronization frame | Pji, Pki, Pli            | $P_{ij}, P_{kj}, P_{lj}$ | $P_{ik}, P_{jk}, P_{lk}$ | $P_{il}, P_{jl}, P_{kl}$ |
| Received content of the synchro-<br>nization frame    | $P_{ij}, P_{ik}, P_{il}$ | $P_{ji}, P_{jk}, P_{jl}$ | $P_{ki}, P_{kj}, P_{kl}$ | $P_{li}, P_{lj}, P_{lk}$ |

For synchronous node i, after received the synchronous frames sent by other nodes, it should read related phase deviation's state diagram weights  $P_{ij}$ ,  $P_{ik}$ ,  $P_{il}$ from load segments, and then compare with weights  $P_{ji}$ ,  $P_{ki}$ ,  $P_{li}$  obtained from this node to detect the stability of the FlexRay network. If all synchronization nodes have been in a synchronous correction state, then we can take the weights  $P'_{ji}$ ,  $P'_{ki}$ ,  $P'_{li}$  calculated out in pre cycle to detect the clock synchronization performance of this node i.

$$Error1 = |P_{ji} - (-P_{ij})| + |P_{ki} - (-P_{ik})| + |P_{li} - (-P_{il})|$$
  
= |P\_{ji} + P\_{ij}| + |P\_{ki} + P\_{ik}| + |P\_{li} + P\_{il}|,

is used to evaluate the clock synchronization state between node i and other nodes, and this equation is a general measure of the network stability. If the error is equal to 0, which signifies that the synchronization clock correction between the node i and other nodes maintains a synchronized stable state; if the error is greater than *limitpassive*1, which signifies that node i deviates from the clock synchronization range of the network, then the node should enter the POC: normal passive state; if the error is greater than *limithalt*1, which signifies that the normal clock synchronization between node i and other synchronization nodes can't be maintained, thus we should initialize the node. Since the number of MT in the communication cycle is constant, that is to say FlexRay could achieve synchronization when the clock synchronization layer is the maximum one. Therefore, so when the clock deviation maintains a MT, the node must enter the POC: halt state. Taking into account that *Error*1 is obtained from the absolute value, then we can define the limit values in the conditions that the nodes enter the POC: halt state and POC: normal passive state respectively as

$$limithalt1 = 2 \times pMicroPerMacNom, \qquad (1)$$

$$limit passive 1 = 0.5 \times limit halt 1, \qquad (2)$$

From the two equations, we can know that pMicroPerMacNom is the number of  $\mu$ T in one MT. The new frequency correction value could be obtained from the FTM algorithm, namely,

$$dynratecor1 = FTM(P_{ii}, P_{ki}, P_{li}).$$

$$(3)$$

 $P_{ji}$ ,  $P_{ki}$ ,  $P_{li}$  are the phase deviation change rates when we take jkl as the

reference nodes. Due to the face that these weight values are based on the phase deviation change rates of multiple cycles, so *dynratecor1* can more accurately present the clock drift rate of the local nodes in successive time intervals; and the correctness of the correction of the original frequency correction values, which are based on the measured values even/odd doubly periods, is less accurate than *dynratecor1*.

 $Error2 = |P_{ji} - P'_{ji}| + |P_{ki} - P'_{ki}| + |P_{li} - P'_{li}|$  is used to detect the clock synchronization performance of node *i* itself. Besides, it is more often used to conduct nodes' self detection, and it must satisfy the premise that the network is stable, that is to say Error1=0. If the error is equal to 0, which indicates that the clock synchronization performance of node *i* could maintain a normal state; if the node is greater than *limitpassive2*, which signifies that the clock runs abnormally, thus the node should enter the POC: normal passive state; if the node is greater than *limithalt2*, which indicates that the clock synchronization performance of node *i* declined obviously, in this condition we should initialize the node. Among them, *limitpassive2* and *limithalt2* are two threshold values of *Error2*, and their definition method is similar to *Error1*, namely

$$limithalt2 = 2 \times pMicroPerMacNom.$$
(4)

$$limit passive 2 = 0.5 \times limit halt 2.$$
<sup>(5)</sup>

The new frequency correction value is

$$dynratecor2 = FTM(P_{ii}, P_{ki}, P_{li}).$$
(6)

With the increase of the number of phase deviation, the clock drift rate and synchronization status information reflected by weight value P will be more accurate. Due to the fact that the dynamic detection method of synchronous node is based on a large number of data acquisitions, the error or loss of individual data will not affect the evaluation and detection results.

#### 2.3. Simulation and performance comparison of the software

Assume that there are four nodes in a FlexRay network, and three of which are synchronized nodes. The cold boot process should be ignored while conduct the software simulation process. Besides, we should focus on the clock synchronization conditions of Cycle8~Cycle13-these six cycles, and each cycle should be simplified as ST segment and NIT segment. We should set the relevant protocol parameters meet the following equations gdCycle = 1000, gdMacrotick = 1  $\mu$  s, pMacroPerCycle = 1000, gdStaticSlot = 100MT.

In order to calculate the phase and frequency correction value of each node, we should write the FTM algorithm Matlab as: [offsetcorrection, ratecorrection] =  $FTM_algorithm$  (num, offsetarray, ownoffset). In the above equation, num is the number of synchronization nodes, for cSyncNodeMax = 15, the maximum value of num of is 15; offset- array is the expected arrival time of certain synchronization frame, and it takes the node's local time as reference. Through  $FTM_algorithm$ 

function, we could obtain phase and frequency correction value of each node among Cycle10~Cycle11 as shown in table 3. In table 3, pdMicrotick is the length value of  $\mu$ T, and its unit is  $\mu$ s; and we take  $\mu$ T as unit of phase and frequency correction value.

| nodes                  | $pdMicrotick(\mu s)$ | Phase correction $value(\mu T)$ | Frequency correction $value(\mu T)$ |
|------------------------|----------------------|---------------------------------|-------------------------------------|
| Non synchronous node   | 0.1                  | -820                            | -43                                 |
| synchronization node 1 | 0.025                | 429                             | 28                                  |
| synchronization node 2 | 0.025                | -29                             | -3                                  |
| synchronization node 3 | 0.025                | -406                            | -27                                 |

Table 3. Phase and frequency correction value among Cycle10~Cycle11

In order to improve the synchronization accuracy of the network, based on the original clock synchronization algorithm of FlexRay, we introduced the dynamic detection method of synchronous nodes, namely work on the phase deviation diagram based on the measured value of Cycle8~Cycle9. For the synchronous node 1, we should establish  $Dev_2[1][56]$  and  $Dev_3[1][56]$  to store the phase deviations obtained from different synchronization frames. The storage method of other synchronous nodes is similar to that of synchronization node 1, thus there is no need for us to repeat them. Take  $Dev_{FrameID}[1][56]$  into account to establish the equation of phase deviation trend  $y_{=}P \times x_{+}C$ , and the phase deviation state diagram is shown in Figure 2.



Fig. 2. Phase deviation state diagram of synchronous node

In Figure 2, if  $P_{ij} = -P_{ji}$ , which indicates that the clock synchronization between the synchronization node *i* and the synchronization node *j* is stably maintained. If  $P_{ij} \neq -P_{ji}$ , which indicates that total phase correction between the synchronization node *i* and the synchronization node *j* has not been achieved. It can be seen from the figure that the weight value that takes synchronization node 1 as the beginning point and the terminal point does not satisfy the equation  $P_{ij} = -P_{ji}$ , which means the synchronous between this node and other nodes could not be achieved. Besides, the clock synchronization between the synchronization node 2 and the synchronization node 3 is in steady state. Therefore, the synchronization node 1 is the node that has a poor performance in the current network, which will affect the synchronization precision of the network, so we should adjust the frequency correction value of this node.

According to the dynamic detection method steps of synchronous node, we should first determine the values of *limitpassive1*, *limithalt1*, *limitpa-ssive2* and *limithalt2*. And based on the protocol parameters  $gdCycle = 1000\mu$ s, pSamplesPerMicrotick = 2,  $gdSampleClockPeriod = 0.0125\mu$ s, pMicroPerMacroNom = 40,  $pdMicrotick = 0.025\mu$ s, pMicroPerCycle = 40000,  $gdMacrotick = 1\mu$ s and pMacroPerCycle = 1000, we could get the results that *limitpas-sive1* = *limitpassive2* =  $40\mu$ T, *limithalt1* = *limithalt2* =  $80\mu$ T. From Figure 2 we can see that the current network is not in a stable state. Therefore, we can only take *Error1* into consideration, and do not need to calculate the *Error2*. The test results are as shown in table 4.

Table 4. Dynamic detection results of synchronous nodes in Cycle10~Cycle11 1

| reference node            | The deviation of clock drift rate $(\mu T)$ | Error1              | The original frequency correction value( $\mu$ T) | $\frac{dynratecor1}{(\mu T)}$ |
|---------------------------|---------------------------------------------|---------------------|---------------------------------------------------|-------------------------------|
| synchronization<br>node 2 | $ P_{21} + P_{12}  = 2$                     | r .1· · · · · · ·   | 20                                                | 21                            |
| synchronization<br>node 3 | $ P_{31} + P_{13}  = 3$                     | 5 < limit passive 1 | 28                                                | 31                            |

From table 4 we can see that the new frequency correction value is  $31\mu$ T, in Cycle12~Cycle13 we take this value to correct the clock of synchronization node 1, while the clock correction value of other synchronization node remains unchanged, and then we work out state graph weight values of new phase deviation diagram, as Table 5 shows.

Table 5. The clock correction results obtained by introducing the dynamic detection method on Cycle12 $\sim$ Cycle13

| node                   | $pdMicrotick(\mu s)$ | The deviat  | tion of clock drift rate $(\mu T)$ |
|------------------------|----------------------|-------------|------------------------------------|
| Non synchronous node   | 0.1                  |             | /                                  |
| synchronization node 1 | 0.025                | $P_{21}$    | 26                                 |
| synchronization node 1 | 0.025                | $P_{31}$    | 36                                 |
| synchronization node 2 | 0.025                | $P_{12}$    | -27                                |
|                        |                      | $P_{32}$    | 23                                 |
| synchronization node 3 | 0.025                | $P_{13}$    | -35                                |
| synchronization node 5 |                      | $P_{23}$    | -23                                |
| Error1                 |                      | 2 < limit p | assive1                            |

From table 5 and table 4 we can see that, with the continuous detection and correction going on, *Error*1 gradually decreased. If the *Error*1 is close to 0 T, which would indicates that all the synchronization nodes are in the modified state. In order to make sure that the network state being stable, we should conduct dynamic assessment towards the clock performance of the node itself. Namely we should base

on the value of Error2 to determine the new frequency correction value, and the calculation method is the same as that of Error1, thus we do not present it once again. When Error2 is 0, which shows that the clock performance of the node is normal, and under this condition, it will not affect the stability of the network. When the Error2 is not 0, it indicates that the clock drift rate of the node is abnormal, under this condition we need to adjust the clock correction value. If Error2 is modified, and Error1 returned to the state of not being 0, which would indicate that the former stability of the network is only a temporary phenomenon and the true synchronization state has not been achieved among the nodes.

Table 6 shows us the comparison of the phase deviations of non synchronous nodes before and after the improvement of the synchronization algorithm. In this table, for the fact that the Cycle8~Cycle9 has not yet started the clock correction, the contrast values of the two cycles are the same. And the phase deviation of Cycle9 is relatively high. Starting with the Cycle10, we use dynamic detection method. With the clock synchronization performance of the three synchronization nodes being continuously improved, the phase deviation value of the non synchronous nodes with different synchronization reference gradually reduces. The above shows us that the local time of the node is closer and closer to the global time, so the clock correction value of the node itself gradually becomes smaller.

|        | synchronous node reference |             |                      |             |                      |             |  |  |  |
|--------|----------------------------|-------------|----------------------|-------------|----------------------|-------------|--|--|--|
| period | synchronous<br>node1       |             | synchronous<br>node2 |             | synchronous<br>node3 |             |  |  |  |
|        | before                     | after       | before               | after       | before               | after       |  |  |  |
|        | improvement                | improvement | improvement          | improvement | improvement          | improvement |  |  |  |
| 8      | -200                       | -200        | -130                 | -130        | -70                  | -70         |  |  |  |
| 9      | -820                       | -820        | -560                 | -560        | -280                 | -280        |  |  |  |
| 10     | -169                       | -165        | -121                 | -117        | -118                 | -115        |  |  |  |
| 11     | -118                       | -113        | -107                 | -101        | -104                 | -99         |  |  |  |
| 12     | -109                       | -103        | -100                 | -93         | -98                  | -91         |  |  |  |
| 13     | -106                       | -97         | -92                  | -83         | -86                  | -78         |  |  |  |

Table 6. Comparison of phase deviation values among non synchronous nodes  $(unit:\mu T)$ 

## 3. The software design of FlexRay bus monitor

#### 3.1. Interface design of hardware of bus monitor

BG has its own independent clock synchronization mechanism. This mechanism monitors the TxEN CC (Data Enable Transmit) signals sent out by CC, and through the BGE (Guardian Enable Bus) [10] signal to control the data sent by BD. When CC chooses to send the data in the wrong time slot, BG will notify the host of the error message in an interruption form. Besides, it would disconnect the connection between the node and the network, that is to say, to prohibit the BD continuing to send out data. At the same time, CC would also monitor the BGE signal through BGSM (Guardian Schedule Monitoring Bus) [10]. If the time slot schedule BG

obtained functions abnormally, CC will report the error message to the host in an interruption form. Thus, we could define the signal transmission among BG and CC and BD hosts.

BG and the host can be connected through the Peripheral Interface Serial, namely SPI, to achieve configuration function of the host towards BG and send error interruption signal to the host when there is timing error in BG and CC. SPI interface uses the master-slave mode, and this mode is for the synchronous serial data transmission between CPU and peripheral low speed devices. The clock is controlled by the main device. When there is clock shift pulse, the data is transmitted bite by bite. And the high ones are sent earlier, and the lower ones are sent later. The transmission rate of full duplex communication is faster than the I2C bus, reaching up to a several Mbps. According to the connection method between BG and the host and the signal transmission definition, we can get a list of BG hardware interface as shown in table 7.

| BG name | connecting<br>object | BG pin             | Input /<br>output | Description                                           |
|---------|----------------------|--------------------|-------------------|-------------------------------------------------------|
|         |                      | RxD_A              | Input             | data received by BD (A)                               |
|         | BD (A)               | BGE_A              | output            | signals controlled by BD (A)<br>(enable $/$ disable)  |
| CC      |                      | $\overline{TxEN}A$ | Input             | control signal of CC towards BD (A)(enable / disable) |
| BG (A)  | 00                   | TBGE_A             | output            | $\begin{array}{llllllllllllllllllllllllllllllllllll$  |
| host    |                      | SCK                | Input             | clock signal                                          |
|         | host                 | SDI                | Input             | configuration information of BG (A)                   |
|         |                      | SDO                | output            | error interrupt information                           |
|         |                      | $\overline{SCSN}$  | Input             | enable signal of BG (A)                               |
| BD (B)  |                      | $RxD_B$            | Input             | the data received of BD (B)                           |
|         | DD (D)               | BGE_B              | output            | signals controlled by BD (B)(enable / disable)        |
|         | CC                   | $TxEN\_B$          | Input             | control signal of CC towards BD (B)(enable / disable) |
| BG (B)  |                      | TBGE_B             | output            | $\begin{array}{llllllllllllllllllllllllllllllllllll$  |
|         |                      | SCK                | Input             | clock signal                                          |
|         | host                 | SDI                | Input             | configuration information of BG (B)                   |
|         |                      | SDO                | output            | error interrupt information                           |
|         |                      | $\overline{SCSN}$  | Input             | enable signal of BG (B)                               |

| Table 7. Definition of BG interf |
|----------------------------------|
|----------------------------------|

#### 3.2. Software functions of the bus monitor

The host commands could be divided into two parts, of which one part is the commands sent by host to the CC, and the other part is the commands that the host uses to configure BG, which can be seen in table 8. The third column in the

table is the commands sent to the CC, but before the being sent out, we should firstly inform BG of these commands, so that BG could adjust the monitoring strategy in a timely manner; the fourth column in the table is the configuration command of BG.

| host command                                                | CC response                                                     | BG res                                                                                                                                 | sponse                                                                           |
|-------------------------------------------------------------|-----------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------|
| (POC state)                                                 | ee response                                                     | CC command                                                                                                                             | BG configuration com-<br>mand                                                    |
| ALL SLOTS<br>(normal active, normal<br>passive)             | At the end of the cycle,<br>CC retreat from single<br>slot mode | Change monitoring<br>strategy, and allow<br>CC to send data in all<br>stipulated time slots                                            | /(BG does not send data)                                                         |
| ALLOW_COLDSTART<br>(except default config,<br>config, halt) | Allows CC to perform<br>a cold start                            | Change monitoring<br>strategy, and per-<br>mit the deliveries in<br>CC that are consis-<br>tent with cold start<br>monitoring strategy | /(BG can't perform<br>the cold start cluster)                                    |
| CONFIG<br>(default config, ready)                           | Allow the configura-<br>tion of CC                              | /(unless BG need to follow the state of CC $)$                                                                                         | Allow the configura-<br>tion of BG                                               |
| CONFIG_COMPLETE (config)                                    | CC enters POC: ready                                            | /                                                                                                                                      | BG enters POC: ready                                                             |
| DEFAULT_CONFIG<br>(halt)                                    | Allow CC to conduct<br>the default configura-<br>tion           | /                                                                                                                                      | Allow BG to conduct<br>the default configura-<br>tion                            |
| FREEZE<br>(all the POC state)                               | CC enters POC: halt state                                       | Change monitoring<br>strategy, and prohibit<br>all the deliveries from<br>CC                                                           | BG enters POC: halt state                                                        |
| HALT<br>(normal active, normal<br>passive)                  | At the end of the cycle,<br>CC enters POC: halt<br>state        | Change monitoring<br>strategy, and prohibit<br>all the deliveries from<br>CC after the cycle is<br>ended                               | At the end of the cycle,<br>BG enters POC: halt<br>state                         |
| READY<br>(except default config,<br>config, halt, ready)    | CC enters POC: ready state                                      | Change monitoring<br>strategy, and prohibit<br>all the deliveries from<br>CC                                                           | BG enters POC: ready state                                                       |
| RUN<br>(ready)                                              | CC begin to start clus-<br>ter communication                    | Change monitoring<br>strategy, and monitor<br>the boot process of<br>CC                                                                | BG start to join the<br>cluster, but no clus-<br>ter communication is<br>allowed |
| WAKEUP<br>(ready)                                           | CC perform cluster awakening                                    | Change monitoring<br>strategy, and monitor<br>the awakening process<br>of CC                                                           | /(BG can't awaken the cluster)                                                   |

Table 8. Host command

## 4. The real-time and fault tolerance evaluation of steering system of FlexRay wire



4.1. The FlexRay communication module hardware

Fig. 3. EVB9S12XF512 evaluation board

In this paper, we choose the EVB9S12XF512 evaluation board of Freescale as basic ECU nodes, as shown in Figure 3. EVB9S12XF512 includes a 16-bit-microcontroller: MC9S12XF512 with FlexRay communication controller embedded in it, two FlexRay bus drivers: TJA1080 and a high speed CAN bus driver: MC33742.

(1) Micro controller MC9S12XF512

There is a XGATE co processor, 512K byte Flash and an embedded FlexRay communication controller in the micro controller MC9S12XF512. The package diagram of this micro controller is as shown in figure 4. In figure 4, XGATE is aimed to conduct fast interruption processing, thus it could reduce the load of CPU while conduct interrupt processing. Therefore, it provides a higher level of disruption, and through the sharing of some service procedures it could shorten the working time and process of CPU. XGATE, like CPU, is a programmable kernel that supports the C compiler. When the source is off, XGATE begins to run; when the interruption task is completed, it will stop all the clocks and wait for the next event, thus it could reduce power consumption. Therefore, although MC9S12XF512 is a 16 bit microcontroller, it can achieve the performance that of 32-bit microcontroller.

(2) The FlexRay bus driver

The FlexRay bus driver uses TJA1080 produced by NXP company, and it could provide data rate up to 10 Mbps. So it is suitable for working during the  $14V \sim 42V$ voltage range. And the electromagnetic radiation of FlexRay bus driver is low, and the input differential mode is adopted in this bus driver. The IO terminal voltage of the bus driver can altered by itself accordingly, at the same time, there is BGE interface reserved for the bus monitor. The chip provides 4 kinds of bus states: low



Fig. 4. The package diagram of the microcontroller MC9S12XF512

power state, idle state, data 1 state and data 0 state.

In order to achieve the voltage adaptive adjustment of the IO terminal, in the circuit, we connect drive voltage of the communication controller (namely the drive voltage of the microcontroller with the VIO pin of TJA1080. And then, no voltage conversion chip is needed to achieve the normal communication between TJA1080 and controller. The bus driver circuit that the channel B corresponds is similar to Figure 5, thus we left out this part.



Fig. 5. FlexRay bus driver circuit diagram

#### 4.2. Real Time and Fault Tolerance Evaluation

We integrate the steering, yaw warning and electronic stability control system to get the message scheduling scheme shown in table 6-5. The ST segment transmits a ST message containing a variable steering drive ratio and a steering wheel torque, and at the same time it starts and synchronizes this message. Due to the fact that the message in DYN segment is triggered by the event, so when the sensors are in normal state, this segment only receives yow warning and information related to steering in electronic stability control system; if a sensor failure happens, the correct variable steering transmission ratio or steering wheel aligning torque value will be sent in the previous dynamic slots (here the "correct" value could be obtained from the sending node based on the processing of the previous fault-tolerant calculation. Because that this aspect has nothing to do with FlexRay communication, not many researches are conducted) to correct the error value sent by ST segment in the cycle. In order to ensure the real-time performance of the system, in each cycle we should pre-use the fault-tolerance algorithm to calculate the variable steering drive ratio / steering wheel torque value as backup-information, when there is a fault in the sensor, the ST segment could directly send this value.

| NODE        |         | n1                                                                                                      | n2                                                                             |
|-------------|---------|---------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------|
| ST message  | send    | Start the synchronous frame<br>(the load data could be trans-<br>ferred into variable steering<br>ratio | Start the synchronous frame<br>(the load data is the steering<br>wheel torque) |
| DYN message | send    | the adjusted variable steering ratio                                                                    | the adjusted steering wheel torque                                             |
|             | receive |                                                                                                         | related to steering in electronic<br>y yaw warning and the nodes in<br>em)     |

Table 9. Message scheduling scheme

From the analysis of reference [11] and reference [12], we can know that the ideal transmission ratio is a two digits that is bigger than 0, and steering Chinese driver's preferred wheel torque range is  $1.75 \sim 4$ N.m. After comprehensively considering the influence of data accuracy on automobile safety and the general format of the automobile signals, we set the length of the load segment in ST message to be  $16 \times 16$  bits, that is to say the parameter gPayloadLengthStatic = 16.

DYN message includes the correct variable steering drive ratio / steering wheel torque value, yaw warning and electronic stability control system information related to steering, and its definition is as shown in table 10.

| DYN message                                                                                                              | Message<br>state | sensor<br>State   | numerical value                                                        | significance                                                                                                                                              |
|--------------------------------------------------------------------------------------------------------------------------|------------------|-------------------|------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|
| the modified vari-<br>able ratio steering /<br>steering wheel torque<br>value( $16 \times 16$ bits)                      | send             | fault             | obtained according to<br>the fault tolerance al-<br>gorithm            | indicate rotation angle<br>of the steering motor or<br>self-aligning torque mo-<br>tor                                                                    |
| yaw warning / in-<br>formation related to<br>steering in electronic<br>stability control<br>system $(16 \times 16$ bits) | receive          | normal /<br>fault | obtained according to<br>sensor detection value<br>and logic algorithm | make the steering system<br>slightly generate correc-<br>tion steering force or<br>provide relevant infor-<br>mation for the steering<br>torque algorithm |

Table 10. DYN message definition

Based on the analysis of ST message and DYN message, we could conduct the configuration of the system parameters, as shown in table 11. Here, we set the data rate allocation of the FlexRay wire steering system to be 10Mbps, communication cycle length to be 5ms, and static slot to be slot1~ slot66. When the maximum value of the minimum time slot (minislot, shortened as (MS)) 22, the maximum value of dynamic slot is 22, and take into account the former static slot, we could get the starting number of dynamic slot to be slot67 with the maximum to be slot88.

Table 11. Configuration parameter table

| system parameters                           |                    | parameters in ST and DYN segments                   |                    |  |
|---------------------------------------------|--------------------|-----------------------------------------------------|--------------------|--|
| data rate                                   | $10 \mathrm{Mbps}$ | static slot number                                  | 66                 |  |
| the maximum value of simul-<br>taneous node | 15                 | static slot length                                  | $50\mathrm{MT}$    |  |
| the maximum length value of clock tick      | $1 \mu s$          | AP offset                                           | $3\mathrm{MT}$     |  |
| cycle length                                | $5000 \mathrm{MT}$ | load length of ST segment                           | 16*16bit           |  |
| length of ST segment                        | $3300 \mathrm{MT}$ | the maximum value of MS                             | 22                 |  |
| length of DYN segment                       | 880MT              | length of MS                                        | $40\mathrm{MT}$    |  |
| symbol window length                        | $15 \mathrm{MT}$   | AP offset of MS                                     | 3MT                |  |
| NIT length                                  | $805 \mathrm{MT}$  | the maximum value of the load length in DYN segment | 16*16bit           |  |
| start point of phase correction             | $4229 \mathrm{MT}$ | note: MTis macrotick for short, r                   | namely its unit is |  |
| digit number sent by TSS                    | 11                 | the biggest clock tick.                             |                    |  |

Due to the fact that the message sent by ST segment is not much, thus we need not to adjust the node-sending sequence or increase the number of static time slots, and we could simply select the maximum value of message length to be the best length value of static time slot. Considering the fact that if the time slots of sending the synchronous frames are too concentrated, it would affects the clock synchronization precision, so we choose to send ST message containing variable steering drive ratio and steering wheel torque in slot1 and slot4.

Before we arrange the scheduling of DYN segment, we should first conduct schedulability analysis on the systematic parameters in table 12. For the received DYN message is completed with FIFO disruption, we should pre-determine the transmitting slots before making DYN scheduling table, and then arrange the received time slots behind the sent slots. And we should notice that the schedulable analysis does not include message receiving. For the convenience of calculation, we uniform the parameter units for MS (according to Table 10, the length of a MS is gdMS = $40MT = 40\mu$ s), and we should simplify the cycles as ST segment and DYN segment, and the length of each segment is shown as the following.

 $STs = 3300MT \text{div} \ gdMS = 3300MT \text{div} \ 40MT = 82.5MS$ Tbus = Tbus = STs + DYNs = 82.5MS + 22MS = 104.5MS

| NODE | DYN message parameters |                              |      | parameters in DYN segment |          |          |
|------|------------------------|------------------------------|------|---------------------------|----------|----------|
|      | DYN message            | $M \mathrm{m} (\mathrm{MS})$ | LTxm | Tbus $(MS)$               | STs (MS) | DYNs(MS) |
| n1   | DM1                    | 2                            | 14   | 104.5                     | 82.5     | 22       |
| n2   | DM2                    | 2                            | 16   |                           |          |          |

Table 12. DYN message and parameters in DYN segment

In Table 12, the message length Mm could be from equations(9) and(10). The parameter values in the equations could be obtained from Table11 and the common protocol parameters, which include the action point phase value gdActionPointOffset = 3MT, the idle channel bounds digits number cChannelIdleDelimiter = 11gdBit, the maximum bite time  $gdBitMax = 0.10015\mu$ s, the minimum propagation delay  $gdMin-PropagationDelay = 0\mu$ s, the maximum propagation delay  $gdMaxPropagationDelay = 2\mu$ s, the maximum length of clock tick  $gdMacrotick = 1\mu$ s, the maximum clock deviation cClockDeviationMax = 0.0015, transmission start sequence TSS, length of TSS gdTSSTransmitter = 11 gdBit, frame start sequence FSS, length of FSS cdFSS = 1gdBit, frame end sequence FES(Frame End Sequence), length of FES cdFES = 2 gdBit, dynamic trailing sequence DTS, length of DTS gdDTS = 4 gdBit.

$$\begin{split} M_{m} =& 2 \times gdActionPointOffset[MT] + \\ &+ round(((aFrameLength[gdBit] + cChannelDelimiter[gdBit])) \\ &\times gdBitMax[\mu s/gdBit] + gdMinPropagationDelay[\mu s] \\ &+ gdMaxPropagationDelay[\mu s])/(gdMacrotick[\mu s/MT]) \\ &\times (1 - cClockDeviationMax))). \end{split}$$

$$aFrameLength[gdBit] = gdTSSTransmitter[gdBit] + cdFSS[gdBit] + 80gdBit + aPayloadLength[2 - byte - word] \times 20gdBit$$
(8)  
+ cdFES[gdBit] + gdDTS[gdBit].

Among them, MT is the largest clock tick of one unit. According to Table 10, we could know  $1MT = 1\mu s$ ; gdBit shows us that the unit is a bit of time, namely 1gdBit = 1/ bus rate = 1/10M = 100ns80gdBit in equation (9), corresponding to the first paragraph and the last paragraph of the message, includes 8 bytes. For the fact that while sending each certain bite, we need to add Byte Start Sequence(BSS), the equation is as the following

$$8 \times (8gdBit + cdBSS[gdBit]) = 8 \times (8gdBit + 2gdBit) = 80gdBit.$$
(9)

Load length value aPayloadLength is the word number of load segment, namely, the number of double byte word. Therefore, we need to multiply it with 20gdBit to get the digit number, here the 20gdBit could be obtained from equation(11).

$$2 \times (8gdBit + cdBSS[gdBit]) = 2 \times (8gdBit + 2gdBit) = 20gdBit.$$
(10)

Because both the load segment of DM1 and DM2 is  $16 \times 16$  bit, namely the word number aPayloadLength = 16, the message length is  $M_{Dm1,Dm2} = 2 \times 3 + round((418 \times 0.10015 + 2))$  div  $0.9985) = 50MT \approx 2MS$ .

LTxm is node parameter, and its value could be determined by the message length, MS number and data rate. Besides, we could allocate this value while initializing FlexRay module. For DM1, its data in load segment is the correct and variable steering ratio, and the message length is 2MS. For the number of MS in DYN segment is 22, DM1must be sent out in front of the MS whose serial number is 20(namely slot 86)Considering that, logically speaking, only after the driver completed steering operation, could he feel the corresponding steering wheel torque. Besides, the consequences of instructions that cause steering error or delays would be more serious. Therefore, we set the parameter value of LTxm in DM1 to be 14 (namely slot80), and the parameter value of LTxm in DM 2 to be 16 (namely slot82), thus set aside enough sending room.

The corresponding transfer decision-making process is as shown in Table 13, and the table corresponds with the dynamic programming process of two-dimensional array A[n][j]. Because the DYN message is little, the *n* in the table directly corresponds with message name. And *j* stands for the dynamic slot number 1 and 2 (i.e. slot67, slot68). Because we merely arrange two time slots of DYN message delivery, we would not consider the time slots after dynamic slot 2 (namely slot68).

| n                                       |       | j     |
|-----------------------------------------|-------|-------|
| ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, | 1     | 2     |
| DM1                                     | 120.5 | 119.5 |
| DM2                                     | 241   | 241   |

Table 13. Optimized dispatching decision-making process of DYN segment(unit:MS)

As the numbers in the last line of A array values are the same, and there is no other information of message scheduling to be used as the basis of making trade-off choices, we choose the priority solution of dynamic message shown in Table 13. In ZHUAN YOU

Table 13, the meaning of n and j is the same with that of them in table 12. And Mdlm is the deadline, Rtm is the worst-case response time, and diffm is difference between the above two, namely  $diff_m = Mdl_m - Rt_m$ . All DYN message should complete the information transmission at the critical value point, thus while setting Mdlm, we take the service quality 11.10 (higher than the critical value of Tp's 11) as benchmarks of Tpc, namely  $Tp_c = 13.6ms = (13.6 \times 1000)\mu sdiv gdMS = 340MS$ . Then we divide Tpc and Tbus exactly, and the left-out part be made up by the corresponding value of LTxm, as shown in equaiton (11). Because the complementary value is determined by the message parameter, the deadline reflects the importance of the message.

$$Mdl_m = round(Tp_c \operatorname{div} Tbus) \times (Tbus + LTx_m \times gdMS).$$
 (11)

Now, the dead line of DM1 is  $Mdl_{Dm1} = round(340 \text{div } 104.5) \times (104.5 + 14) = 355.5MS$ . The worst corresponding is the value of the ID frame value of dynamic time slot 2 (dynamic time slot 1 send DM2) in the second dispatching decision-making phase, namely  $Rt_{Dm1} = F_{Dm1} + S_{Dm1} + M_{Dm1} = 20 + 96.5 + 2 = 118.5MS$ . In the same way, the deadline of DM2 is  $Mdl_{Dm2} = 361.5MS$ , and the worst corresponding time  $Rt_{Dm1} = 120.5MS$ .

Table 14. Priority solution of DYN message(unit:MS)

| n   | j | Mdlm  | Rtm   | $di\!f\!f\mathrm{m}$ |
|-----|---|-------|-------|----------------------|
| DM1 | ŋ | 355.5 | 118.5 | 237                  |
| DM2 | 2 | 361.5 | 120.5 | 241                  |

 $diff_{Dm2} \ge diff_{Dm1}$  indicates that the worst-case response time of DM1 is close to the deadline. In order to guarantee the schedulability of the system, we should first send DM1, and assign the smaller frame ID value to FrameIDDM1. Thus we can get the time slot arrangement in table 15, namely the corresponding dynamic DM1 timeslot 1 (namely slot67), and the corresponding dynamic DM2 2 time slot (namely slot68). And then we receive information related to steering of the yaw warning and electronic stability control systems in the dynamic slot 3 and slot 4 (i.e. slot69, slot70). Due to the fact that the message sending timing is associated with the scheduling of the node, and the two nodes belong not to wire-control steering network, so we don't compare the arrangement orders while receiving time slots.

In table 15, the message sending of ST segment is achieved according to the schedule table, while DYN segment obtains the present message scheduling by dynamic programming algorithm. Therefore, we can adjust the arrangement according to actual condition. In this table, SM stands for the Static message, namely ST message; The abbreviation of Dynamic message is DM, namely DYN message; chAB means sending or receiving data with double channels, and chA means sending or receiving data only with channel A; n3 and n4 are respectively the nodes in yaw warning system and electronic stability control system. Due to the fact that the microcontroller MC9S12XF512 does not support the dual channel communication of DYN segment, so we only use channel A to send and receive message.

| Time slot   | MB delivery                                                                                     | MB receive | FIFO receive |  |  |  |
|-------------|-------------------------------------------------------------------------------------------------|------------|--------------|--|--|--|
| STsegment   |                                                                                                 |            |              |  |  |  |
| slot1       | n1, chAB, SM1(start and synchronous frame, and<br>the load data is the variable steering ratio) | n2, chAB   |              |  |  |  |
| slot4       | n2, chAB, SM2(start and synchronous frame, and the load data is the steering wheel torque)      | n1, chAB   |              |  |  |  |
| DYN segment |                                                                                                 |            |              |  |  |  |
| slot67      | n1, chA, DM1(the adjusted variable steering ratio)                                              |            | n2, chA      |  |  |  |
| slot68      | n2, chA, DM2(the adjusted steering wheel torque)                                                |            | n1, chA      |  |  |  |
| slot69      | n3, chA, DM3(information of yaw warning system)                                                 |            | n1 & n2, chA |  |  |  |
| slot70      | n4, chA, DM4(information of electronic stability control system)                                |            | n1 & n2, chA |  |  |  |

Table 15. Time triggered schedule

## 5. Conclusion

In this paper, we mainly study the FlexRay communication module of wire steering system, and make the communication function of the module could ensure the real-time and fault tolerance of the steer-by-wire system, so as to meet the safety requirements of steer-by-wire design in vehicles.

In terms of scheduling, we out forward two different optimization schemes. Because that, we used scheduling algorithm in the FlexRay static segment, the optimization scheme of this segment is on offline to determine optimal static parameter value and node transmission sequence, in this way to minimize the total response time of all static message. Dynamic segment of FlexRay is based on FTDMA, and this media's access mechanism has time triggering characteristic and is confirmable at the same time. Besides, this media contains the event triggering flexibility. Therefore, to optimize the dispatch of this segment, we must carry on the schedulability analysis based on the worst-case response time of the message to make the optimal scheduling process always meet the prerequisite of system scheduling. And we adopt the optimized scheduling algorithm based on dynamic programming, that is to say, through multi-stage decisions to gradually find the optimal scheduling dynamic segment arrangement. At the same time, we summarize priority solution of the dynamic message.

In the aspect of clock synchronization, we introduce the concept of phase deviation state diagram. We replace the real time intervals with continuous time intervals, and based on the more accurate clock discrepancy information to improve the network synchronization accuracy; and according to the weight changes of the state diagram, and conduct real-time and dynamic evaluation of the synchronization clock performance of the synchronization nodes and the stability of the network to make each node's local time be closer to the global time.

### Acknowledgement

This work was supported by Senior Visiting Engineers Plan Funded Project of Higher Vocational Institutions in Jiangsu Province(2015FG007).

#### References

- [1] HANZLIK: (2006) A Case Study of Clock Synchronization in FlexRay. Technical Report in Real-time Systems Group, May 2006.
- [2] PAUL MILBREDT, MARTIN HORAUER AND KONRAD REIF: (2007) Wakeup and Startup of Flexray Cross Linkings. ATZelektronik worldwide Edition, 2007(4):30-32.
- [3] P. M. SZECOWKA, M. A. SWIDERSKI: (2007) On Hardware Implementation of Flexray Bus Guardian Module. International Conference on Mixed Design of Integrated Circuits and Systems 2007 (MIXDES '07), June 2007: 309-312.
- [4] JUAN R. PIMENTEL: (2004) An Architecture for a Safety-Critical Steer-by-Wire System[R]. 2004 Society of Automotive Engineers, 2004-01-0714.
- [5] JOACHIM LANGENWALTER, TOM ERKKINEN: (2004) Embedded Steer-by-Wire System Development. Embedded World, February 2004:17-19.
- [6] PAUL YIH, J. CHRISTIAN GERDES.: Steer-by-Wire for Vehicle State Estimation and Control. (AVEC), (2004).
- [7] THOMAS F, FLORIAN H, ROBERT H, ET AL.: (2003) Flexray-the communication system for future control systems in vehicles. Tech. Report Paper, SAE World Congress, 3: 1-110.
- [8] CLAESSON V, EKELIN C, SURIN: (2003) The event-triggered and time-triggered medium- access methods. Sixth IEEE International Symposium on Object-Oriented Real-Time Distributed Computing (ISORC'03), 2003:131-134.
- DOO-HYUN KIM, EUN HWAN JO, MOON HAE KIM: (2004) Time-triggered and message-triggered object architecture for distributed real-time multimedia services. PCM, 2004:330-337.
- [10] ROMAN OBERMAISSER, PHILIPP PETI, FULVIO TAGLIABO: (2007) An integreated architecture for future car generations. Real-Time Syst, 2007:1-30.

Received May 7, 2017