The invention relates to a method for transmitting safety-relevant data in a motor vehicle by means of an Ethernet standard, particularly the Ethernet IEEE 802.3 standard which, possibly in conjunction with the IEEE 802.1 Q standard, is also designated as IEEE 802.3 MAC tagged. The transmission of the safety-relevant data in the motor vehicle takes place from a transmitter via at least one intermediate node, also called “Switch” or “Bridge”, to a receiver. Generally, transmitter, receiver and intermediate node are control devices which handle the function of the data transmission and possibly additional functions.
In the method for transmission it is provided that the safety-relevant data are sent from the transmitter in an Ethernet packet, the Ethernet packet having an Ethernet frame with the data content. The data content contains communication information and data.
Essential communication information is the destination address, the transmitter address and the Ethernet type which describes the payload of the Ethernet frame (i.e. its subprotocol). The other data include the content of the safety-relevant data to be transmitted and possibly control fields such as a checksum.
As part of the transmission, the or each intermediate node receives an Ethernet packet and evaluates at least a part of the communication information from the data content. In particular, the destination address, the transmitter address and the Ethernet type are read and taken into consideration in the further processing of the data packet. The further processing provides, in particular, for the forwarding of the Ethernet packets in accordance with the evaluated communication information.
The transmission of the safety-relevant data is concluded when the receiver receives the Ethernet packet and evaluates the communication information from the data content. If, on the basis of this evaluated communication information, it is actually the receiver of the safety-relevant data, the data from the data content are also evaluated because the transmission of the safety-relevant data is thus ended. In the intermediate node, i.e. during the transmission of the safety-relevant data, this content evaluation does not take place. It is only a faulty frame (CRC error) which would already be discarded here.
This above method corresponds to Ethernet standard IEEE 802.3, as defined and generally available at http://standards.ieee.org.
The background of the present invention is that the Ethernet is increasingly used also in the motor car as new networking technology. Instead of the Ethernet, proprietary real-time-capable busses are currently used in motor cars for the data communication which, due to the desired safety, necessitate a comparatively complex architecture of the communication network. For this purpose, the FlexRay bus used as real-time-capable communication bus offers a redundant channel for increasing the fault tolerance.
So that Ethernet can replace the real-time-capable communication busses currently used in the motor car and leads to an architecture which, overall, is less complex due to scale effects, Ethernet also has to support functions for achieving redundancy. This is of higher-level significance particularly with regard to future assistance functions because the planned assistance functions are intended to partially take over control of the vehicle completely. This requires a high degree of safety and corresponding redundancies in the communication channel. In this context, both the hardware (for example dual sensors, dual cabling) and the software (distributed virtual systems) can be designed redundantly.
Ethernet already offers functions today such as the STP (Spanning Tree Protocol) and the RSTP (Rapid Spanning Tree Protocol) in order to find new communication paths in the network if a communication path is disturbed, for example due to a cable or link which no longer operates. Naturally, this is only possible if in the network another communication path is available physically. The STP or RSTP protocols allow in such a case a rapid switch-over during operation. Furthermore, a trunking function is described as part of the Ethernet applications for grouping lines.
However, since Ethernet had been developed originally for other purposes, it does not itself offer the fault tolerance achieved by the proprietary communication busses in current motor cars.
If it is planned to use Ethernet as backbone network in the car, solutions are necessary so that Ethernet, too, can offer to the current systems comparable functions for redundancy. Otherwise, the proprietary field busses still have to be used which have a reduced range of functions and lead to increased complexity and more costs.
The data rate of these proprietary field busses, which are used today for safety-critical systems in the motor car, will also be no longer adequate in the foreseeable future since it has already reached its capacity limit for the systems already present today in the motor vehicle.
Errors in the transmission can occur in the Ethernet mainly due to the fact that, due to lacking electromagnetic compatibility (EMC), overload or other influences, individual data packets (Ethernet packets) are lost or corrupted at any time. This is shown diagrammatically in FIG. 1 which shows the transmission of an Ethernet packet 51 in a transmission system 50 according to the Ethernet standard. The transmission takes place between a first control device 52 used as transmitter and a second control device 53 used as receiver. On the transmission path 54, the Ethernet packet is damaged by a disturbance 55. Due to this damage, the damaged Ethernet packet 56 can no longer be read or utilized in the receiver 53 and has to be discarded.
Although the Ethernet standard offers the possibility of recognizing such damage with very high probability, a restoration of the original data is not provided for, however. Although, it is possible in principle that the receiver 53, in the case of receiving a damaged Ethernet packet 56, again requests the lost or defective Ethernet packet 56 at the transmitter 52. This can be achieved, for example, via the TCP protocol, the processing of which, however, only takes place in subsequent processing layers of the receiver and is not possible immediately in connection with the data transmission. In addition, communication back from the receiver 53 to the transmitter 52 is necessary before the data packet is sent out again. In the case of safety-critical applications, for example a braking process, such a communication process for establishing a redundancy can take too long even if protocols like TCP or IP can detect lacking data packets by means of sequence numbers and request them again.
In addition, it is only the receiver which can detect the lack of a data packet and request it again at the transmitter. This cannot be done by possible intermediate nodes used for forwarding the Ethernet packets because they do not operate at this layer.
Against this background, the object of the present invention lies in designing a communication according to the Ethernet standard to be more failure proof and to provide a redundant communication.