A Look at New Open Standards to Improve Reliability and Redundancy of Automotive Ethernet

By Arthur Marris, Sachin Dhingra, Robert Schweiger (Cadence Design Systems)

Abstract

To meet the safety and deterministic latency requirements for controlling a car, a new set of open standards is being developed, collectively referred to as “Time Sensitive Networking,” or TSN. These improve the reliability, timing, redundancy, and failure detection ability of Ethernet to the level where it can be applied throughout an automobile. This article describes how Cadence has addressed the hardware requirements of TSN in its Automotive Ethernet Media Access Controller (MAC).

Making More Sophisticated Automotive Applications Possible

There is a shared vision for Ethernet in the automobile industry. Based on an advanced network architecture, Ethernet enables progression of more and more sophisticated applications, from infotainment to ADAS to control of mission-critical systems. One of the initial applications is the fusion of sensors such as radar and camera systems via high-performance embedded CPUs. The next step for Automotive Ethernet is to directly control powertrain and chassis for mission-critical functions such as braking, steering, transmission, and engine control. The final step encompasses the connectivity of all mentioned functions to enable truly autonomous driving.

Communication Protocol Requirements

More functionality means more requirements for Ethernet to connect all the components in an automobile. The increasing number of components, including processors, cameras, and sensors such as radars, not only increases the bandwidth required but also require time-critical data to be transferred reliably. This requires provisions for deterministic and low-latency transmission, especially for mission-critical controls. For instance, dropping of a packet in an application such as collision avoidance, leading to failure of timely braking, could be catastrophic. Similarly, autonomous driving will not be possible if the system bandwidth is not sufficient to support data to be aggregated from multiple cameras and sensors. To summarize, there are three key requirements:

• Bandwidth
• Safety and reliability
• Latency

From an Ethernet perspective, bandwidth primarily applies to the PHY layer. Reliability and latency primarily apply to the MAC layer.

Meeting Safety and Low-Latency Requirements

Open standards are being developed to meet safety, reliability, and latency requirements of future ADAS functions and autonomous systems. These standards ensure reliable and timely inter-operation between all the components in an automobile. IEEE 802.1 is the official standards body for Ethernet switching and control of data transmission (whereas IEEE 802.3 is the official standards body for Ethernet PHYs). To meet the safety and low-latency requirements for controlling automobiles, IEEE 802.1 is developing a new set of open standards, collectively referred to as TSN. TSN enables low-latency, deterministic, and reliable transmission of synchronized packets. TSN is a super-set of the Audio-Video Bridging (AVB) standard, which describes how to guarantee bandwidth and enable data synchronization over Ethernet to ensure a high quality of service (QoS). It specifies precision of less than a microsecond and implementation which more than exceeds the requirements for many mission-critical functions.

The main TSN standards are:

Standard	Description
802.1AS-Rev	Timing and Synchronization for Time-Sensitive Applications
802.1Qbu/802.3br	Frame Pre-Emption
802.1Qbv	Enhancements for Scheduled Traffic
802.1Qcc	Stream Reservation Protocol (SRP) Enhancements and Performance Improvements
802.1CB	Frame Replication and Elimination for Reliability
802.1Qch	Cyclic Queuing and Forwarding
802.1Qci	Per-Stream Filtering and Policing

Closer Look at Time-Sensitive Networking Standards

By introducing redundancy in the grand master clock and failure detection, 802.1AS-Rev makes setting the real-time clocks in the ECUs more reliable and addresses ISO 26262 functional safety requirements. The 802.1Qbv standard adds “time-aware queue-draining procedures” based on timing derived from 802.1AS. It allows “simultaneous support of scheduled traffic, credit-based shaper traffic, and other bridged traffic,” according to IEEE. It adds transmission gates to the eight priority queues, which means that low-priority queues can be shut down at specific times for higher priority immediate access to the network at specific times. This results in guaranteed access for high-priority, low-latency control frames (this is similar to Time Triggered Ethernet previously specified by the SAE in 2011 - AS6802) and allows periodic transmission of AVB traffic such as IEEE 1722 talker class A streams, which need frames to be transmitted every 125 microseconds. 802.1Qv introduces the concept of a guard band, which is a time period during which traffic cannot start transmitting to ensure control frames can be sent out at their scheduled time.

Pre-emption, as defined in 802.1Qbu and 802.3br, allows this guard band to be kept to a minimum. Pre-emption allows a frame to be fragmented after its transmission has started. In other words, a higher priority frame can interrupt the transmission of a lower priority frame. The 802.3br standard defines the necessary encapsulation and checksums for the frame fragments, which have a minimum size of 64 bytes.

Pre-emption and control of transmit queues concern traffic being transmitted on the egress port.

The 802.1Qci standard is at an early stage and is focused on traffic being received at the ingress port. Its purpose is to mitigate the effects of nodes that operate incorrectly (e.g. babbling idiot). It defines “policing and filtering functions that include the detection and mitigation of disruptive transmissions by other systems in a network, improving the robustness of that network”.

802.1CB is also at an early stage and introduces seamless redundancy and failure detection. Failure detection is important for functional safety. 802.1CB adds frame replication and elimination. For example, network nodes might be connected in a ring with traffic being sent in both directions so it takes two separate paths to reach its destination. At the receiving node, the 802.1CB standard defines how the duplicate frames are eliminated.

For functional safety, high availability, redundant fault-tolerant design, and rapid failure detection are important. A ring topology is a way of introducing redundancy in the network. To fulfill the requirements of the ISO 26262 standard, robust failure detection mechanisms are essential prerequisites. The 802.1CB and 802.1AS-Rev standards introduce methods for failure detection.

Cadence, for many years, has been offering Ethernet MAC products targeting automotive applications using AVB standards and, more recently, using TSN standards. The MAC supports multiple transmit queues, with recently added support for 802.1AS-Rev and 802.1Qbv, by implementing a gate-on timer and a gate-off timer for each transmit queue.

Block diagram of the Cadence Ethernet Media Access Controller

To support time-critical data, a time-aware Shaper is needed in combination with a credit-based shaper, whose task is to minimize the communication latency and jitter.

Figure 1 shows the effects of pre-emption (with TA activated) on two outgoing queues that serve time-aware data (TA) and other data (O).

Figure 1: Example of pre-emption – the insertion of time-critical data between other data with the MAC Merge Sublayer Module

The lowest pre-emptable Frame O1 is divided into two data fragments (O1) by a special hardware module in the MAC, the so called MAC merge sublayer (figure 2).

To reduce the latency, time-critical class A data TA1-TA3, due to their higher priority, are inserted between non time-critical data fragments O1.

Within the guard band, the transfer of non-critical data is blocked. This ensures that new incoming time-aware (with high priority) data packages will not be blocked by other data (O). Transferred data not only gets prioritized but is now also deterministic which is essential for control systems.

802.1Qbu pre-emption requires hardware support, and Cadence offers a solution to provide the necessary hardware. Cadence offers a solution where a MAC Merge Sublayer (MMSL) module is instanced with two Ethernet MAC instances. One for the pre-emptable MAC (pMAC) and the other for the express MAC (eMAC). The eMAC is only required to support a single transmit queue. When pre-emption is disabled, the MMSL arbitrates between eMAC and pMAC on a frame-by-frame basis. The eMAC still has highest priority, but the frames transmitted from the pMAC will go out unmodified.

When pre-emption is activated, the MAC Merge Sublayer (MMSL) in accordance with section 99 of the 802.3br Standard, is able to split pre-emptable MAC (pMAC) Frames. The MMSL also capable of sending “verify mPackets” and to recognize their reception. On receiving a “verify mPacket” the MMSL sends “response mPacket”. A ‘response-Frame’ is automatically transmitted upon arrival of a ‘verified packet’. The verify-response process ensures that pre-emption is only enabled when both sides of the link are able to support it.

Figure 2: TSN-Hardware Implementation of the MAC Merge Sublayer

Cadence has also added support for 802.1CB where the MAC is able to recognize and automatically discard duplicated frames. Cadence plans to add support for 802.1Qci once the standard becomes more definite.

Summary

The new TSN standards, serving as the next-generation AVB Transport Protocol, provide all the features to fully address ISO 26262 requirements and expand the deployment of Automotive Ethernet to safety-critical systems. TSN standards aim to improve the robustness, reliability, redundancy, and failure-detection ability of Ethernet to the level where it can be used for real-time control and for applications where safety is of paramount concern. Cadence believes Automotive Ethernet to be a very significant technology and is developing solutions for this in its Ethernet MAC product family.

About Authors

Arthur Marris is a Senior Principal Design Engineer at Cadence Design Systems, Inc. responsible for the architecture of Ethernet MACs. He has over 30 years’ experience in the semiconductor industry having spent 18 years at Cadence, and previously 14 years at Texas Instruments. Arthur is involved with industry standards development particularly within IEEE 802.3.

Sachin Dhingra is a Product Marketing Manager in the IP Group at Cadence Design Systems, Inc. responsible for PCIe, Ethernet, and MIPI Interface controllers. Prior to Cadence, he held positions in marketing, sales and engineering groups at Altera (now Intel) and Achronix. Sachin received his MS in Electrical and Computer Engineering from Auburn University.

Robert Schweiger is Director Automotive Solutions, EMEA at Cadence Design Systems Inc. responsible for the Automotive business development. In this role he is driving the development of Automotive Solutions across all Cadence product lines covering tools, IP and services. He is also representing Cadence as a technical member at the OPEN Alliance SIG to help to define the requirements for the deployment of Automotive Ethernet in cars. Robert has a master degree in Electrical Engineering.