Apply the Latest CAN Bus Enhancements for Secure Reliable High-Speed Automotive Communications
Contributed By Digi-Key's North American Editors
Designers have relied for many years on controller area networks (CANs) for reliable communications between an automobile’s various subsystems and electronic control units (ECUs). However, as the number of on-board network nodes increased, so too has the required data throughput and a demand for lower latency and more advanced security, all within tight size, weight, and cost constraints. Still, many designers would prefer not to change network topologies, and thanks to steady improvements to the CAN specification and related IC solutions, they don’t have to.
Moving to another network topology is difficult due to loss of prior investments and the potential for design delays as designers move up the learning curve. But that can be avoided by looking again at CAN specification enhancements, such as CAN Flexible Data-Rate (FD) for higher throughput, the use of techniques such as partial networking to handle leakage and interference, the use of tighter timing margins to ensure reliable communications at higher data rates, and enhanced security.
Also, CAN transceiver providers have themselves responded to design requirements with more integrated solutions that incorporate the CAN enhancements to better serve emerging applications such as advanced driver assistance systems (ADAS), powertrains, and infotainment.
This article briefly discusses CAN and its enhancements, including how designers can manage the transition to more advanced iterations, such as CAN FD. Along the way, it will introduce suitable CAN solutions and how to go about using them for faster data rates, higher reliability, and greater security.
CAN Flexible Data-Rate
With vehicles now having more electronics on board, designers require higher performance, but instead of moving to an entirely different network, they can take advantage of CAN enhancements, starting with CAN FD. This provides for rates of up to 5 Mbits/s, compared to 1 Mbit/s (max) for the original CAN specification, defined in the ISO 11898 standard. That data rate limitation forced automotive designers to add more CAN network devices and connections inside the vehicle, inevitably leading to more wiring, power losses, and weight.
The CAN FD standard solves the bandwidth dilemma while taking data rates to 2 Mbits/s in nominal conditions and 5 Mbits/s in programming mode. This major CAN enhancement comes with a modified frame rate that ups the data field from 8 bytes to 64 bytes for more effective support of data-intensive applications (Figure 1).
Figure 1: The CAN FD standard, updated in 2012, extends the maximum number of data bytes in the payload from 8 to 64 bytes. (Image source: Microchip Technology)
Transitioning from classical CAN to CAN FD
The amount of data transported across in-vehicle networks is constantly rising amid the addition of camera and sensors, including those for advanced driver assistance systems (ADAS). While higher speed CAN FD networks can help, they do require greater precision during development. At higher data speeds, for instance, the available margin to stabilize the bit value shrinks quickly, increasing the potential for errors and undermining CAN’s inherent reliability.
There are also issues such as interference leakage current that can be generated from higher speed data transport within the CAN network. In addition, implementing a CAN FD system alongside classic CAN poses a significant challenge in terms of ensuring that no errors are introduced due to a hybrid network arrangement.
To help address some of these issues, Microchip Technology introduced the MCP2561/2FD high-speed CAN transceiver. This device offers the same core features as its predecessor, the MCP2561/2, but adds guaranteed loop delay symmetry in order to support the higher data rates required for CAN FD (Figure 2). That, in turn, reduces the maximum propagation delay in order to support longer network connections and more nodes on the CAN bus. Specifically, the MCP2561/2FD CAN transceiver has a maximum propagation delay of 120 nanoseconds (ns).
Figure 2: The MCP2561/2FD CAN transceiver has guaranteed loop symmetry which enables longer network connections and more nodes on the CAN bus. (Image source: Microchip Technology)
Microchip and other CAN transceiver suppliers are also implementing the partial networking mechanism compliant with the ISO 11898-2:2016 standard. Partial networking ensures a smooth transition from classical CAN to higher speed CAN FD systems by supporting selective wake-up functionality and autonomous bus biasing.
For example, NXP Semiconductors’ TJA1145 high-speed CAN transceiver supports data rates of up to 2 Mbits/s and incorporates partial networking via a selective wake-up function called FD Passive. It allows regular CAN controllers that do not need to communicate CAN FD messages to remain in sleep/standby mode during CAN FD communication, without generating bus errors.
Eventually, all CAN controllers will be required to comply to the high-speed CAN bus standard, turning all CAN bus nodes into FD Active nodes. But until then, partial networking will bridge the gap between the classical CAN and CAN FD worlds.
NXP is also offering the CAN FD Shield technology that dynamically filters the CAN FD messages using a highly accurate oscillator. As with partial networking, the CAN transceivers employing the FD Shield functionality offer drop-in replacement for the existing transceivers and so don't require software changes. NXP has completed the assessment of its FD Shield technology with the Automotive Open Systems Architecture (AUTOSAR) and is making the samples available to major automotive OEMs and Tier-1 suppliers.
Bus protection with smaller CAN transceivers
Along with faster data rates, designers can take advantage of highly integrated CAN solutions that reduce the BOM cost and board space. However, the devices are often near each other as well as other sensitive electronics, so care must be taken that they don’t cause interference, or become susceptible to interference, so electromagnetic interference (EMI) and noise immunity are important characteristics. Often CAN transceivers use discrete filters, common-mode chokes and transient voltage suppression (TVS) devices to counter the ESD and EMI-centric problems.
For more on the important topic of TVS for CAN bus, see “Design-In TVS Diode Protection to Enhance CAN Bus Reliability.”
However, automotive designers are increasingly looking for ways to reduce weight and cost in CAN-based designs. For example, the TCAN1042 and TCAN1051 transceivers from Texas Instruments have removed the choke to reduce the component count while still complying with strict noise immunity requirements (Figure 3).
Figure 3: The TCAN1042 CAN transceiver provides protection features to enhance CAN robustness and is used in applications such as automotive HVAC control modules and RF smart remote controls. (Image source: Texas Instruments)
The protection against high bus fault and electrostatic discharge (ESD) is crucial in CAN systems which are now catering to 12 volt, 24 volt, and 48 volt battery requirements in vehicles, as well as 24 volt industrial power supplies. It guards CAN bus pins against short-to-DC voltages with better matching of the output signals.
The TCAN1042 and TCAN1051 transceivers provide ESD protection of up to ±15 kilovolts (kV), which potentially eliminates the need for external TVS diodes. Also, designers can quickly and easily evaluate the performance of these CAN transceivers with an evaluation module, the TCAN1042DEVM, which also provides information on CAN bus termination, CAN bus filtering, and protection concepts.
CAN's next frontier: security
CAN-based in-vehicle networks for linking ECUs are relatively simple and easy to use. However, a single ECU with compromised security can leave the whole vehicle vulnerable to hacks. A widely known option for protecting CAN communications is based on the message authentication code (MAC) mechanism that employs cryptography and complex key management. However, encryption of CAN messages increases CAN bus load, message latency, and power consumption. There is also the difficulty of upgrading in-vehicle networks for secure CAN communications due to lack of compute power in currently installed CAN controllers.
More recent CAN transceivers come with simpler mechanisms that circumvent the bandwidth overhead, delays, and processing load. These secure CAN transceivers can filter the message IDs, so if a compromised ECU attempts to send a message with an ID that is originally not assigned to it, the transceiver can refuse to transmit it to the CAN bus (Figure 4). Along with preventing spoofing attempts, a CAN transceiver can prevent tampering and flooding attacks by invalidating the message from the compromised ECU.
Figure 4: To reduce latency and bandwidth requirements while securing the CAN network, more recent transceivers are filtering message IDs. (Image source: NXP Semiconductors)
These CAN transceivers provide security against flooding, spoofing, and tampering without using cryptography. They can detect a cyber incident if the message gets invalidated on the bus with an active error flag. Next, the secure CAN transceiver temporarily disconnects the local host from the CAN bus.
However, if no security threat is detected, the CAN transceivers act like a standard high-speed CAN transceiver. In other words, these secure CAN transceivers can be a drop-in replacement for standard CAN transceivers in a similar package.
What suppliers like NXP are doing here is implementing security functionality entirely in hardware, allowing CAN transceiver security operations to be performed independently from CAN controllers. That, in turn, avoids the need for software changes on the ECU and the associated risk of ECU operation disruption.
Furthermore, the secure CAN transceiver keeps a log for reporting the security incidents on the bus. These CAN transceivers can also protect their own configuration updates and thus can act as an intrusion detection system.
The CAN bus began its journey back in 1983 but as this article has shown, it has adapted well to the automotive electronic designers’ communications requirements. First and foremost, CAN transceivers are going through a makeover with the transition toward the higher speed CAN FD networks. Second, CAN transceivers are improving reliability while reducing the BOM cost and design footprint by eliminating external components such as common-mode choke and TVS diodes. Finally, CAN transceivers are playing their part in securing the CAN bus by embedding security functionality into the transceiver hardware. The latter not only secures just the CAN bus, but the future of the connected car.
Disclaimer: The opinions, beliefs, and viewpoints expressed by the various authors and/or forum participants on this website do not necessarily reflect the opinions, beliefs, and viewpoints of Digi-Key Electronics or official policies of Digi-Key Electronics.