CN108737187B

Movatterモバイル変換

Info

Publication number: CN108737187B
Application number: CN201810505715.0A
Authority: CN
Inventors: 董剑; 左德承; 刘宏伟; 罗丹彦; 张森; 张展; 舒燕君; 吴晋
Original assignee: Harbin Institute of Technology Shenzhen
Current assignee: Harbin Institute of Technology Shenzhen
Priority date: 2018-05-23
Filing date: 2018-05-23
Publication date: 2021-07-20
Anticipated expiration: 2038-05-23
Also published as: CN108737187A

Abstract

Translated fromChinese

一种CAN总线故障模拟系统及故障模拟方法，本发明涉及CAN总线故障模拟系统及故障模拟方法。本发明为了解决现有技术故障注入的操作过程复杂、只能进行物理层故障注入以及不能直接返回故障注入结果的问题。本发明包括：信息收发模块、故障注入模块和控制软件模块；所述信息收发模块用于将来自两端的目标机的数据帧进行数字信号和模拟信号的转化；所述故障注入模块用于根据控制软件模块发送的数据，对CAN总线的链路层或物理层进行故障注入；所述控制软件模块用于提供人机交互界面，发送故障注入参数到故障注入模块；所述故障注入参数包括故障注入方式、故障的时间类型、注入位置。本发明用于计算机可靠性评价领域。

A CAN bus fault simulation system and a fault simulation method, the invention relates to a CAN bus fault simulation system and a fault simulation method. The present invention solves the problems that the operation process of fault injection in the prior art is complicated, only physical layer fault injection can be performed, and the fault injection result cannot be directly returned. The invention includes: an information transceiver module, a fault injection module and a control software module; the information transceiver module is used to convert the data frames from the target machines at both ends to digital signals and analog signals; the fault injection module is used to control The data sent by the software module performs fault injection on the link layer or physical layer of the CAN bus; the control software module is used to provide a human-computer interaction interface, and sends the fault injection parameters to the fault injection module; the fault injection parameters include fault injection. mode, time type of failure, injection location. The invention is used in the field of computer reliability evaluation.

Description

CAN bus fault simulation system and fault simulation method

Technical Field

The invention relates to a CAN bus fault simulation system and a fault simulation method.

Background

The fault simulation and injection mode is a supplement method of the system reliability evaluation method, and is really an important means for evaluating the system reliability until the end of the 20 th century. Since the research on fault injection is started earlier abroad, the design method of the fault injection technical tool is ahead of China.

For the evaluation of the fault tolerance performance of the system, because the requirements of different systems are different, the error frequency and the recovery capability of the system are predicted by adopting different methods, and the method is generally divided into three categories: simulation-based methods (analytical modeling methods), test-based analytical methods (statistical analysis methods), and fault injection methods based on prototype systems. Compared with the former two modes, the fault simulation is easier to realize, people commonly use the fault injection means to evaluate the reliability of the system, and the most commonly used means comprises physical fault injection and simulation fault injection. Due to the different locations of fault injection, physical fault injection can be subdivided into hardware fault injection and software fault injection.

Since the development of fault injection devices has matured abroad, in 2003, Zarandi H R et al proposed a fault simulation tool called SINJECT that supports reliability analysis models for a variety of digital systems, which provides temporary and permanent fault simulation of Verilog and VHDL digital circuit models.

For the research of the CAN bus, Gessner D et al have performed a preliminary realization on a physical layer fault simulation method of the space CAN bus, the fault simulation device replaces the CAN bus topology with a star topology centering on a fault injection integration device, and the fault simulation is performed on a CAN bus controller and software of a node, so that the CAN bus site CAN be more transparent.

For the research of the protocol layer inside the CAN bus, Corno F et al show how two abstract protocol layers interact with each other to ensure correct data transmission, and this technique is successfully used for fault identification affecting the dynamic network of the CAN bus.

Domestic research on fault injection is also gradually rising. The university of inner Mongolia proposes a non-switching CAN bus redundant communication system, describes a double redundant structure of the system, discusses a specific implementation method, and improves the basic principle of system protocol design and a redundant information processing method based on J1939.

The Beijing university of aerospace carries out research and design on a dual-redundancy CAN bus test platform, and develops a Matlab simulation tool, a message analysis tool and a fault injection tool based on the test environment of a plurality of nodes.

Disclosure of Invention

The invention aims to solve the problems that the operation process of fault injection in the prior art is complex, only physical layer fault injection CAN be carried out, and a fault injection result cannot be directly returned, and provides a CAN bus fault simulation system and a fault simulation method.

A CAN bus fault simulation system comprising: the system comprises an information transceiving module, a fault injection module and a control software module;

the information transceiving module is used for converting the data frames from the target machines at the two ends into digital signals and analog signals;

the fault injection module is used for performing fault injection on a link layer or a physical layer of the CAN bus according to data sent by the control software module;

the control software module is used for providing a human-computer interaction interface and sending fault injection parameters to the fault injection module; the fault injection parameters comprise a fault injection mode, a fault time type and an injection position.

Because the star topology is that the load of the middle integrator is larger, the reliability is lower, in order to make the reliability of the transmission data increase, the invention has adopted the bus type topology, according to CAN bus repeater mode, through carrying on the fault injection in the data received at the repeater node, and then send back to each node, thus observe the change of each node message content and judge whether to inject into and succeed, make the operation simple and easy. The method based on the CAN relay node has the right to check the system, and the working mechanism of the protocol layer CAN be monitored and modified and CAN also determine the source of the data sent by each node to and received by the node.

A CAN bus fault simulation method comprises the following steps:

the method comprises the following steps: detecting the injector through a detection module, if the working states of the injector and a communication link are normal, setting fault injection parameters through an injection interface submodule, and generating fault injection parameters through a parameter generation module; if the working states of the injector and the communication link are abnormal, the injector and the communication link are debugged;

step two: sending the fault injection parameters generated in the step one to a fault injector, setting a fault level type register in a fault injection module according to the fault injection parameters, when the value of the register is 0x00, indicating that a link layer fault is injected through a link layer fault module, and when the value of the register is 0x01, indicating that a physical layer fault is injected through a physical layer fault module;

step three: the results of the faulty injector are obtained by the result analysis module.

The invention has the beneficial effects that:

the system of the invention adopts a method integrating two modes of embedded hardware injection and software injection, and realizes the injection of different types of faults into a protocol layer and a physical layer of a communication system. The protocol layer realizes the injection of faults of different time types, triggering modes and positions, and the physical layer realizes the faults of different time parameters and level parameters. Meanwhile, fault control software is designed at the host machine end, so that a user can conveniently set faults when using the system, the whole fault injection operation process is simplified, and the fault injection result can be returned.

In order to verify the function of the fault simulation system, the method builds a CAN bus experimental environment and injects the fault into the CAN bus experimental environment. Experimental results show that the system successfully realizes the injection of various faults and meets design requirements. Meanwhile, the fault injection result information CAN be recovered and stored and fed back to the user in real time, and effective support is provided for the evaluation of the fault tolerance performance of the CAN bus.

Drawings

FIG. 1 is a functional block diagram of the system of the present invention;

FIG. 2 is a system architecture diagram of the present invention;

FIG. 3 is a schematic diagram of the system of the present invention;

FIG. 4 illustrates the operation of the fault injection module of the present invention;

FIG. 5 is a diagram of the internal FIFO structure of the CAN bus;

FIG. 6 is a flow chart of CAN bus transmission process traffic;

FIG. 7 is a flow chart of a CAN bus reception process service;

FIG. 8 is a fault injection instruction format;

FIG. 9 is a communication module state machine;

FIG. 10 is a simplified PCB diagram;

FIG. 11 is a control module state transition diagram; in the figure, S0 is a reset state, S1 is a start command, S2 is an instantaneous enable, S3 is a wait stop command, S4 is a permanent enable, S5 is a set counter, S6 is an intermittent enable, and S7 is an intermittent disable;

FIG. 12 is a flowchart of the overall operation of the CAN bus fault simulation system;

FIG. 13 is a system interrupt workflow diagram;

FIG. 14 is a flow diagram of protocol layer fault injection logic;

FIG. 15 is a flow diagram of physical layer fault injection logic;

FIG. 16 is a serial flow and test flow diagram;

FIG. 17 is a protocol layer fault injection test flow diagram;

FIG. 18 is an integrated test module partition diagram.

Detailed Description

The first embodiment is as follows: a CAN bus fault simulation system comprising: the system comprises an information transceiving module, a fault injection module and a control software module;

the module is arranged between CAN buses and is responsible for controlling data on the buses, and because the fault injector is injected firstly based on a protocol layer, the master control module is applied to and integrated with a CPU of a CAN controller.

The CAN bus is a bidirectional bus, so that data transmission needs to be in a FIFO mode so that transmission and reception do not collide.

The internal structure of the CPU adopts an FIFO structure, a ring data buffer area is established in a double-port RAM space, and the RAM is changed to contain a read/write double-port, so that the read/write operation can be carried out simultaneously without clock arbitration. The read register and the write register both contain a counter- "read pointer" and "write pointer", and after each operation, the read register and the write register point to the next address to be read/written. The structure also includes a status monitoring module to detect whether the buffer is empty during a read operation or whether a data overload occurs during a write operation, and the structure is shown in fig. 5.

the fault injection module is a process for mutually aligning the fault parameters sent by the control software and the fault injector. When the control software does not send data, the fault injector connects the CAN1 controller with the CAN2 controller, and sends out the data sent from one end through the other end, so as to realize bidirectional communication. When the control software sends the self-checking signal, observing whether the data on the bus changes, if not, indicating that the communication link is successfully set; when the control software sends different injection parameters, the meaning represented by the different parameters is respectively analyzed to carry out different fault injection, then a data frame for injecting the fault is sent back to the bus and returned to the control software, the fault injection parameters are judged each time the data is sent, and the fault injection is carried out until the serial port of the control software is closed to send the data.

The control software mainly has the functions of providing a good man-machine interaction interface for a user, receiving fault types selected by the user, converting different fault types into fault parameters which can be identified by a fault injector, and detecting whether the system works normally or not through a self-checking function by the user; meanwhile, the control software can receive the data transmitted by the fault injector, display the data and store the data in a database, so that a user can observe a statistical comparison result.

Non-functional requirements of the system of the invention

1. Performance requirements

The performance aspect requires that the CAN bus fault injection tool supports the highest transmission rate of 250 kilobits per second (Kbit/s); the CAN bus fault injection tool CAN inject faults into a data field and modify at least 4 bytes of data; the time delay range is 1 microsecond (mu s) -1 millisecond (ms), and the probability range is 1% -100%; transient type fault duration ranges from 1 microsecond (μ s) to 1 millisecond (ms); the duration range of the intermittent fault is 1 microsecond (mu s) -1 millisecond (ms), the duration range is 1 microsecond (mu s) -1 millisecond (ms), and the injection times are 1-1000.

2. Reliability requirements

The system has a perfect fault simulation function, adopts mature technology and advanced equipment, has high technical advancement and stability, can accurately intercept related data frames in a repeater mode, and performs fault injection on corresponding data frames, and has good reliability.

3. External interface requirements

Three nine-pin serial ports (DB-9), RS-232 interfaces, are required. Two of the two ports are used as CAN bus information transceiving ports, and one port is used as a fault injection port.

4. Constraint requirements

The system development process and delivery document need to support CAN bus 2.0b protocol version specification, and the system delivery needs to have complete technical description report, user use report and scheme description report.

The invention can provide a good interpersonal interactive interface. The specific system functional module division is shown in fig. 1.

The system architecture proposed by the present invention is shown in fig. 2, which illustrates the overall working architecture of the system. The CAN bus fault simulation system CAN be designed into a hierarchical architecture which is a display layer interacted with a user, a logic layer for processing faults and a data layer for processing data. The display layer is a platform for direct interaction with a user, and the user can select a series of operations including equipment detection, fault injection, result analysis and the like. In the fault injection part, a user can independently select the type and specific parameters of the fault to be simulated, including the modes of duration, times, direction, mode and the like. The logic layer is used as the main part of the system, and comprises two parts, one part is fault simulation, and the other part is the processing of injection results. The fault simulation is divided into simulation of transceiving of a CAN bus, fault injection of a protocol layer and fault injection of a physical layer. The faults of the protocol layer include specified fault injection, random fault injection, delay fault injection and probability fault injection, and the physical layer includes fixed 0, fixed, bit reversal and the like. And the data layer comprises two parts of data, namely data transmitted and received by the CAN bus, data of a fault injection result and analyzed data.

As shown in fig. 3, the system control software is installed at the PC control end, fault injection is controlled through RS232 serial port communication, the CAN bus data frames are respectively received and transmitted by the target machines at both ends, the data frames need to be converted into digital signals and analog signals through the CAN transceiver, and finally the data frames reach the target machine at the other end through the control chip. The control chip comprises two CAN bus controller chips and two CPLD chips. The CAN bus control chip plays a role of a repeater when a fault is not injected, and is used as a fault injector of a protocol layer when the fault needs to be injected; the CPLD chip is mainly responsible for fault injection of a physical layer, all signals input through a serial port firstly pass through the CPLD chip, whether the type of a fault is a physical layer or a protocol layer is judged in the chip, and the physical layer outputs analog signals outwards so as to interfere data transmission of the CAN bus on the physical layer.

The working principle of the fault injection module is shown in fig. 4, when the protocol layer fault injection device does not receive the instruction of the user control software, the protocol layer fault injection device is used as a data repeater, normal information receiving and transmitting CAN be carried out between the CAN node and the node, after the fault injection instruction is received, the protocol layer chip CAN analyze the received instruction and carry out relevant modification on the received data frame, so that fault injection is carried out on the relevant data frame; the main purpose of the physical layer fault injection device is to transmit corresponding signals to a bus through an output port according to a user instruction so as to interfere normal transmission of bus signals, and control software can set fault types, time parameters and the like of the physical layer fault injector through a serial port so as to inject different types of faults.

Simulation CAN data receiving and transmitting

The module is responsible for controlling data on the bus among the CAN buses, and because the fault injector is injected firstly based on a protocol layer, the main control module is applied to and integrated with a CPU of the CAN controller. The house lizard development board is used as a CAN controller for signal receiving and transmitting, and the specific functions of the CAN controller are shown in Table 1.

TABLE 3-1 CAN CONTROLLER FUNCTIONS

As shown in fig. 6, when the CAN status register detects that the transmission buffer is idle, the content of the transmission frame may be written into the transmission buffer, the first four bits of the data segment of the frame are written into the TDAX register, the second four bits are written into the TDBX register, the ID of the frame is written into the TIDX register, the CAN command register is set to send a request, and the transmission buffer prepares to send a queued packet according to the selected priority.

Fig. 7 shows a service flow diagram of a receiving process of the CAN bus, where a bus message is received in an interrupt manner, when an interrupt capture register ICR is read, an interrupt receiving bit is read, and if the CAN controller reads the received information, the read information is stored in the CANXRDA and CANXRDB registers, and a receiving buffer is released, a receiving flag is set, and the interrupt is cleared.

Design of kernel function

The core code for realizing the protocol layer fault injection comprises three files, namely a CanInject.c file, a Can.c file and a Uart0.c file, wherein the CanInject.c file is equivalent to a main function and is used for processing the core content of the fault injection, the main function is shown in a table 2, the Can.c file is responsible for relaying and setting a CAN bus, the detailed function is shown in a table 3, the Uart0.c file is a main module of a communication link and is responsible for serial communication, and the data from control software and the data of a fault simulator are received and sent by using serial interruption, and the detailed function is shown in a table 4.

Table 2 main functions in canreject.c

Table 3 can.c. main functions

Main function in Table 4 Uart0.c

The CAN bus sends a fault injection instruction to the control chip through the serial port, the parameter generation module of foreground control software generates a corresponding instruction according to the selection condition of a user, and the instruction needs to be designed because the data sent by the serial port is required to be sent once every 8 bits, so that the complex fault simulation under different conditions is realized.

3-3, the protocol layer fault instruction is five bytes long, and the bits 7-8 of the first byte define the time type of the fault, i.e., instantaneous fault or permanent fault; bits 5-6 define the injection location of the fault, i.e., the data field, control field, or arbitration field; the 3-4 bits define the type of fault injection, i.e., fixed 0, fixed 1, or bit flip; bits 1-2 define the direction of fault injection, i.e., from CAN1 to CAN2 or vice versa. The remaining four bytes are respectively an indication of whether or not a particular bit of a field is fault injected.

Physical layer fault injection

The communication module is responsible for mutual information transmission between the physical layer fault injector and the communication software, so the RS-232 serial port is adopted for communication, the modes of the serial port are unified to '115200, 8, N and 1', the communication speed is 115200kbps, 8 bit data bits, no check bit and one stop bit are represented. First passed are command and address: the high 1 bit is a read-write signal, the '1' is a read signal, the '0' is a write signal, the low 7 bit is a register address, so 128 registers can be set at most, and as the soft reset occupies one instruction code, 127 registers are available at most, so that fewer registers are used, and reserved resources are provided for program expansion. The 8 bits of data are transferred next. The port definitions of the communication module are shown in table 5.

Table 5 communication module port definition table

The CPLD chip of the fault injector uses a 16M passive crystal oscillator as clock input, and in order to improve the accuracy of serial port transmission, the clock input is divided, so that the clock of the communication module is 16 times of the serial port speed. The input of the input sampling serial port can reduce the influence of serial port noise on data transmission and reduce the error rate. According to the clock, the state machine of the communication module is designed as shown in fig. 9.

The various states in FIG. 9 are depicted in Table 6;

TABLE 6 State description Table

Before the fault injection starts, the communication module receives a command from control software and stores command parameters into each register of the main control module; and after the fault injection is finished, the communication module sends the fault injection result stored in the main control module to the control software. Therefore, the communication module is mainly responsible for completing two major tasks: and sending and receiving serial port data and reading and writing the register in the main control module. The module is divided into two sub-modules. The Serial sub-module is responsible for sending and receiving Serial data, and the rd _ wr sub-module is responsible for reading and writing internal registers of the main control module.

And the fault injection module is responsible for controlling the work of other modules and working according to the value stored by the internal register. The main control module is internally integrated with a series of register groups related to fault injection. The internal time control submodule is responsible for controlling the time of fault injection, so that faults of different time types can be injected. Before fault injection begins, a bus read-write module reads an address-data parameter pair and stores data into a register of a corresponding address; after the fault injection is finished, the bus read-write module reads the registered data, inputs and outputs the data and sends the data to the communication module. Table 7 lists the meaning represented by the internal registers.

TABLE 7 Master control Module register significance

Fault level selection register type _ reg: the register stores fault type information indicating what type of fault the bus signal path in that direction injects. The data in this register indicates whether the fault occurred at the physical or protocol layer, and also indicates whether a stuck-at-0, a stuck-at-1, or a bit flip fault was injected at the time of physical layer fault injection. When the type _ reg [7..6] is "01", it indicates a protocol layer fault, when it is "10", it indicates a physical layer fault, and when it is "00", it indicates that no fault is injected.

Trigger type register tiggtypr _ reg: the register has a total of 8 bits, and a direct path is provided between the register and the fault injection module, which indicates the type of physical layer fault trigger. Each two bits from high to low specify the trigger type of the corresponding data bit: "00" indicates no trigger fault, "01" indicates trigger type is data field trigger, and "10" indicates trigger type is arbitration field trigger.

The input data register indata _ reg and the output data register outdata _ reg are used for storing bus data recorded by the result recovery module, wherein indata _ reg is data before injection, and outdata _ reg is data after injection. The two registers are used for host machine timing reading, and the control software analyzes whether the fault injection is effective or not by comparing bus data before and after the fault injection.

The fault time type register timetype _ reg: the lowest two bits of the 16-bit data of this register, timetype _ reg [1..0], represent the time type of fault injection: "01" indicates injection of transient type fault, "10" indicates injection of intermittent type fault, and "11" indicates injection of permanent type fault. The remaining number of bits specifies the number of intermittent fault injections, which is in the range of 0-1000.

Fault duration register duration _ reg and fault interval register interval _ reg: when transient fault injection occurs, the duration _ reg stores the length of the transient fault; at intermittent fault injection, duration _ reg stores the duration of the fault and interval _ reg stores the interval of the fault. In the control software, for the convenience of user definition of accurate time parameters, the units of the two times are microseconds. The control software converts the time to the number of clock beats for the injector's internal clock in accordance with the injector clock frequency when generating the parameters.

The trigger type register trigg _ reg specifies the trigger mode of fault injection, and when the trigger _ reg [1..0] is '01', the trigger mode indicates random trigger, and when the trigger mode indicates '10', the trigger mode indicates target trigger.

In practical implementation, a direction selection module is integrated in the main control module, and the module determines a connection mode between internal modules before fault injection starts, so that the structure of fault injection logic is changed. When the fault from the host to the peripheral needs to be injected, the fault injection module is embedded into a signal channel from the host to the peripheral, and the signal channel from the peripheral to the host is kept unchanged; on the contrary, the fault injection module is embedded in a signal channel from the peripheral to the host, and the signal channel from the host to the peripheral is unchanged; and after the fault injection is finished, the direction selection module is removed from the fault injection module, and the site is recovered.

Fault injection module

The minimum development board of FPGA, the core chip is EPM 1270. The schematic diagram and PCB drawing of the fault injector are realized by using the Altium design summer10 software, and the fault injector is manufactured on a board.

The CAN bus uses a pair of differential signals (CANH and CANL) to form bidirectional signal transmission channels, which are CANH and CANL, respectively, in a physical layer. The CANH high level is a "dominant" value, representing alogic 0; a "recessive" value when the CANH level is equal to the CANL level, representing alogic 1; dominant has a higher priority than recessive, and when both dominant and recessive bits are sent on the bus, dominant appears on the bus. The physical layer fault injection mainly interferes the transmission of CAN bus data frames by changing the electrical characteristics of data transmission in the physical layer. The types of faults are classified into transient faults, intermittent faults, and permanent faults.

The physical layer fault injection is to send a fault injection instruction to a chip through a serial port, and the chip can send a 0 or 1 signal to the outside through IO (input/output) so as to change the electrical characteristics. As shown in fig. 10, which is a simplified PCB diagram, it CAN be seen that the main components are that the control chip of the core is EPM1270T144C5N, which is used as a carrier for processing input and output signals and internal logic processing of physical layer fault injection, the clock input of the chip is a passive crystal oscillator of 16M, and other components also include a serial port level conversion chip, a circuit signal conversion of CAN, a reset chip, and the like.

The fault injector hardware mainly comprises two bus modules and a central processing chip between the two bus modules, and the GPIO module is used for completing communication and power supply between the central processing chip and a host machine.

The physical layer fault injection of the CAN bus fault simulation selects a CPLD chip of Altera corporation with the model number of EPM1270T144C5N as a central processing chip and a carrier of fault injection logic. The chip of the model adopts a low-power consumption design with 3.3V input and output voltage and uses a 144-TQFP packaging format. The clock input of the CPLD is a 16M passive crystal oscillator, and a chip reset circuit and a JTAG download circuit are implemented at the periphery for chip programming. Two CAN bus modules are respectively arranged at two ends of the CPLD and consist of a bus transceiving circuit and a bus IO interface. The CAN bus transceiver selects an LPC1768FBD100 chip, and the chip comprises a bus receiver and a bus transceiver. A serial port communication extension interface UART0 is used as a communication interface between the CPLD and the host machine, and an interface is reserved for a GPIO module of the host machine, so that the future improvement design is facilitated.

The starting and stopping of fault injection need to be controlled by a plurality of conditions together, and the combination of injection control and the main control module is not beneficial to the development of module functions and is not easy to maintain. The injection control module is thus implemented separately. The module continuously reads the register value of the master control module to determine whether to inject a fault. The injection module respectively realizes the control of fault injection from the CAN1 to the CAN2 and from the CAN2 to the CAN1, the fault injection in the two directions is not interfered with each other, and the fault injection module CAN be used for independently injecting the fault into a signal channel in one direction or simultaneously injecting the fault into the signal channels in the two directions. Tables 3-14 list the port signals for the injection control module.

TABLE 8 Port signals for injection control modules

The injection control module uses the inj _ enable signal to realize the control of the fault injection module, the fault injection module is effective when inj _ enable is in a high level, the fault injection module can inject the fault, and the inj _ enable is ineffective when in a low level, and the fault injection is forbidden. Three time types are realized by high and low combination of the inj _ enable level.

The setting of the inj _ enable signal of the transient fault is simple, the inj _ enable is set to be high level when a starting command arrives, meanwhile, a time counter starts to time, once the time is counted, the inj _ enable is immediately converted into low level, and the fault injection is finished.

Intermittent faults refer to the need for the user to inject the same fault multiple times, each fault having the same duration, with an interval time between each fault. The intermittent time control is realized, a duration time counter and an intermittent time counter need to work alternately, in the duration time counting process, inj _ enable is effective, the intermittent time counter works after the counting is overtime, and inj _ enable is ineffective. The alternating high and low changes of the inj _ enable signal level realize the control of the intermittent fault.

The duration of the permanent fault is from the beginning of the control software sending a start command to the end of the control software sending a stop command. Therefore, the inj _ enable of the permanent fault is irrelevant to the duration and the interval time, and when a starting command sent by control software is received, the inj _ enable is kept at a high level; when the main control module receives a stop command sent by control software, a soft reset signal is sent, the inj _ enable is restored to the low level, and fault injection is finished.

Fig. 11 is a state transition diagram of the operation of the injection module. As can be seen from the figure, the module is reset instate 0, i.e. entersstate 1 awaiting an injection start command. When an injection start command is received, if timetype [1..0] '01' is a transient type, entering astate 2, and if inj _ enable '1', a duration counter works, 1 is decremented every beat, and when the counter is decremented to 0, inj _ enable '0' enters astate 3; if timetype [1..0] ═ 10 ", is permanent, set inj _ enable ═ 1' and enterstate 3, and when soft reset signal nRST comes, inj _ enable ═ 0 and enterstate 0; if timetype [1..0] '11', it is of an intermittent type, thestate 5 is entered to set a duration counter, an interval counter and a number counter, then in thestate 6, inj _ enable is set to '1' and the duration counter is decremented, after subtracting to 0, thestate 7 is entered to set inj _ enable to '0', the interval counter is decremented, after subtracting to 0, thestate 5 is returned to and the number of times is subtracted by 1, until the module enters thestate 0 after the number of times is used up.

Table 9 is an illustration of the methods used in the control software.

Method description of Table 9

FIG. 12 depicts a flow chart of the overall operation of the fault simulation system. Before a program starts to run, firstly, self-checking is carried out to check whether equipment can work normally or not, then, an instruction corresponding to a fault is generated according to the selection of a fault attribute made in an interface by a user, and when the instruction generation is completed, the next fault injection can be carried out. The fault injection part carries out different interferences on bus data according to the instructions, when the corresponding instructions are sent, the fault injector can feed back fault injection results to the control end through serial port communication, and the control end can further analyze the fed-back data, so that whether fault injection is successful or not is obtained.

Fig. 13 is a flow chart of the system interrupt operation, and the protocol layer fault injection module implements receiving the fault parameter sent by the control software and sending the data segment of the data frame stored in the corresponding register in the fault injector to the control software. Common communication modes include UART, JART, Ethernet, USB and the like, and in order to simplify a circuit and reduce time delay, an RS232 serial port UART communication mode is adopted. The communication link receives and sends information in an interruption triggering mode, when the communication link judges that the transmission is interrupted, a serial port is opened, the information in the control software is sent to a fault injector, and the serial port is closed after the data is read; and when the receiving is interrupted, opening the serial port, transmitting the result recovered in the fault injector to the control software, and closing the serial port after the data is written.

Fig. 14 is a logic flow diagram of the fault injection logic of the CAN bus fault simulation system protocol layer, before fault injection, first, a relevant injected instruction needs to be obtained through a ser _ AvailChar (& numAvailByte) function and stored in a cache register, then, in the analysis process of the instruction, the positions of the faults represented by the instruction are judged, corresponding fault injection is carried out on the corresponding positions respectively, when the fault injection is finished, the fault injection result needs to be collected, 0000, the direction is judged according to the instruction and output, finally, the time type of the fault is judged, whether the fault is a permanent fault or a transient fault, if the fault is a permanent fault, then the fault injection instruction needs to be stored in the cache register and repeatedly called to achieve the purpose of permanent injection, if it is a transient fault, only the previous cache register needs to be emptied and the protocol layer fault injection logic is ended.

Fig. 15 is a logic flow diagram of physical layer fault injection of a system, before fault injection, all registers need to be reset, and in a CPLD chip, a fault hierarchy type register is set, which indicates that a protocol layer fault is injected when the value of the register is "0 x 00", and indicates that a physical layer fault is injected when the value of the register is "0 x 01". After resetting the registers, the failing level type register needs to be written first, indicating entry into the physical layer. Then, whether the input command is a physical layer fault needs to be judged, if not, TXD is directly equal to RXD, and the input end is given to the output end, which is equivalent to direct connection of signals. And if the data is in the physical layer, starting to write the time type register which is respectively instantaneous, intermittent or permanent, and respectively writing the time type register into other related registers, and starting to perform fault injection in the physical layer after the writing is finished.

The second embodiment is as follows: the first difference between the present embodiment and the specific embodiment is: the information transceiver module also comprises a bus initialization submodule, a data frame sending submodule and a data frame receiving submodule;

the bus initialization submodule is used for initializing a register and a clock;

the data frame sending submodule is used for sending data frames according to the priority of each sent data frame;

and the data frame receiving submodule is used for receiving the data frame according to the pre-obtained ID and timely returning response information to indicate that the receiving is normal.

Other steps and parameters are the same as those in the first embodiment.

The third concrete implementation mode: the present embodiment differs from the first or second embodiment in that: the fault injection module comprises a link layer fault submodule and a physical layer fault submodule;

the link layer fault submodule is used for intercepting information in a link layer of data frame transmission, changing the data frame according to requirements specified by a user, and dividing a fault injection mode into a specified fault, a delay fault, a random fault and a probability fault; the time types of the faults are divided into transient faults, permanent faults and intermittent faults; the injection positions are divided into a data field, an arbitration field and a control field; the final faults are divided into faults at a bit level and faults at an information flow level, and a user can randomly combine different fault injection modes, trigger time parameters and injection positions to form different types of faults;

the physical layer fault submodule is used for operating on a physical layer of CAN signal transmission, and the fault injector CAN change transmitted information by changing electrical characteristics, so that different types of physical layer faults CAN be realized; the physical layer fault injection is divided into two modes, namely user-defined fault injection and trigger fault injection; the user-defined fault injection is that a user selects a physical layer fault of a fault injection mode and fault injection time through host machine end control software, and the fault is transmitted into a fault injector through a serial port to cause a fault; the triggering fault injection is that a user can set corresponding data and a corresponding ID of the triggering fault, and when the fault injector detects that the data or the ID of a data frame transmitted on a bus is a set numerical value, a physical layer fault is generated; the fault injection mode is divided into an appointed fault, a delay fault and a probability fault, and the time types of the faults are divided into an instantaneous fault, a permanent fault and an intermittent fault.

Other steps and parameters are the same as those in the first or second embodiment.

The fourth concrete implementation mode: the difference between this embodiment mode and one of the first to third embodiment modes is: the link layer fault submodule comprises a serial port interruption unit, a frame analysis unit, a data frame modification unit, a frame recombination unit and a result recovery unit;

the serial port interrupt unit is used for receiving data from control software and sending data of the fault simulator, finishing receiving the data by using the interrupt of UART, and defining an FIFO buffer area to store the received data;

the frame analysis unit is used for carrying out frame analysis on the CAN bus message through a CAN bus controller driving program to obtain different fields of bus data frames, storing different data of the different data frames into corresponding registers to wait for processing of the fault injection module, and the frame analysis operation is completed in the CAN controller;

because the data frames transmitted by the CAN bus have different 7 sections, and corresponding fault injection is carried out on different parts, the CAN bus messages need to be subjected to frame analysis through a CAN bus controller driving program to obtain different fields of the bus data frames, different data of the different data frames are stored in corresponding registers to wait for processing of a fault injection module, and the frame analysis operation is completed in the CAN controller. The CAN mode register is used for changing the behavior of the CAN controller, the CAN interruption and capture register stores the relevant information of CAN bus events, the CAN interruption enabling register controls whether each register of the CAN CAN cause the generation of interruption or not, and other registers are used for receiving and transmitting information.

The data frame modification unit is used for respectively injecting fixed 0, fixed 1 and bit-reversed faults into 7 fields divided on a data frame (which fault is injected into which field is determined according to injection position parameters selected by a user in the control software module);

the frame recombination unit is used for adding the modified frame into the header to form a message and storing the message in a corresponding register;

the result recovery unit is used for collecting data in the data frame analysis unit and the frame recombination unit at regular time, checking whether fault injection is successful or not and checking the influence of the injected fault on bus data; the result is stored in the register of the control module and is transmitted to the control software by the control module to be displayed to the user.

Other steps and parameters are the same as those in one of the first to third embodiments.

The fifth concrete implementation mode: the difference between this embodiment and one of the first to fourth embodiments is: the physical layer fault submodule comprises a user-defined fault unit and a signal trigger fault unit;

the physical layer fault submodule is used for injecting different types of faults in a user-defined mode in the control interface and sending a corresponding fault injection version to the physical layer;

the signal triggering fault unit is used for triggering the fault of the physical layer when the fault injection plate receives the signal.

Other steps and parameters are the same as in one of the first to fourth embodiments.

The sixth specific implementation mode: the difference between this embodiment and one of the first to fifth embodiments is: the control software module comprises a parameter generation submodule, a detection submodule, an injection interface submodule and a result recovery submodule;

the parameter generation submodule is used for generating fault injection parameters which can be identified by an injector according to the setting of a user; in the self-checking process, the parameter generation submodule generates an initial value for each register in the injector; in the injection process, the parameter generation submodule generates the value of the register under the current fault mode; the fault injection parameters comprise a fault injection mode, a fault time type and an injection position;

the detection submodule is used for detecting the initial state of the injector and ensuring that the injector and a communication link are intact and available; the injector itself is self-tested before fault injection using fault injection equipment. The specific process of self-checking is as follows: writing an initial value into each register in the injector, reading the value, comparing the written value with the read value, and if the written value is consistent with the read value, indicating that the injector and the communication link are intact and usable;

the injection interface submodule is used for setting parameters generated by the parameter generation submodule, sending the parameters required by the current fault mode to the injector, and simultaneously transmitting the parameters to the result analysis module for analysis after injection is finished;

and the result analysis module is used for receiving the register value read by the information transceiver module in the fault injector and acquiring the fault injection result.

Other steps and parameters are the same as those in one of the first to fifth embodiments.

The seventh embodiment: a CAN bus fault simulation method comprises the following steps:

the method comprises the following steps: detecting the injector through the detection submodule, if the working states of the injector and the communication link are normal, setting fault injection parameters through the injection interface submodule, and generating fault injection parameters through the parameter generation submodule; if the working states of the injector and the communication link are abnormal, the injector and the communication link are debugged;

step two: sending the fault injection parameters generated in the step one to a fault injector, setting a fault level type register in a fault injection module according to the fault injection parameters, when the value of the register is 0x00, indicating that a link layer fault is injected through a link layer fault submodule, and when the value of the register is 0x01, indicating that a physical layer fault is injected through a physical layer fault submodule;

The specific implementation mode is eight: the seventh embodiment is different from the seventh embodiment in that: the specific process of injecting the link layer fault through the link layer fault submodule in the step two is as follows:

step two, firstly: judging whether the injection position of the fault injection parameter is a data field, if so, performing fault injection on the data field, judging the transmission direction and outputting a result; if not, executing the second step;

step two: judging whether the injection position of the fault injection parameter is an arbitration field or not, if so, performing arbitration field fault injection, judging the transmission direction and outputting a result; if not, executing the third step;

step two and step three: performing control field fault injection, judging the transmission direction and outputting a result;

step two, four: judging whether the time type of the fault injection parameter is a permanent fault or not, if so, writing the value of the cache register into a corresponding register (if the time type of the fault injection parameter is the permanent fault, storing a fault injection instruction into the cache register, and repeatedly calling to achieve the purpose of permanent injection, and if the time type of the fault injection parameter is the transient fault, only emptying the previous cache register so as to finish the fault injection logic of the protocol layer); if not, the cache register is cleared.

Other steps and parameters are the same as those in the seventh embodiment.

The specific implementation method nine: seventh or eighth differences from the embodiments are: the specific process of injecting the physical layer fault through the physical layer fault submodule in the step two is as follows:

step (1): judging whether the fault injection time of the fault injection parameters is an intermittent fault or not, and if so, setting registers of the intermittent time, injection times and duration time; if not, executing the step (2);

step (2): judging whether the fault injection time of the fault injection parameters is an instantaneous fault or not, and if so, setting a duration register; if not, executing the step (3);

and (3): inj _ enable is set constant at 1.

Other steps and parameters are the same as those of the seventh or eighth embodiment.

The first embodiment is as follows:

test protocol

The model used for developing the CAN bus fault simulation system is a V model, so the system test needs to follow the development model and sequentially comprises unit test, integration test, system test and acceptance test, and the test is mainly performed on the unit test and the integration test. In the unit test, a black box test and a white box test are required to be performed on each submodule for checking the accuracy of the internal logic and function of the program, wherein the white box test adopts a basic path coverage method, and the black box test adopts an equivalence class division method. In the integrated test, a case of the integrated test is designed to test each module. And for the final system test and acceptance test, verifying one by one according to the indexes by contrasting the index requirements proposed in the system design stage, and testing whether the index requirements are met.

Test range

The test detects each function module of the system one by one, comprises a CAN bus data receiving and transmitting module, a fault injector module and a control software module, checks enumerated functions in demand analysis, fully tests the normal operation of each function of the system, and inputs reasonable and unreasonable test data to test the operation of the function and the error handling condition.

Serial port setting and self-checking

The first step is as follows: the system login equivalence classes are shown in table 10.

Table 10 system login equivalence class division table

The second step is that: the system registration test is shown in table 11, for example.

Table 11 system login equivalence class division table

The third step: the serial port setting process and the test process are shown in fig. 16.

The fourth step: the system entry white box test data is shown in table 12.

Table 12 system login white box test meter

Protocol layer fault injection

The first step is as follows: the protocol layer fault injection equivalence classes are shown in table 13.

Table 13 protocol layer fault injection equivalence class partitioning table

The second step is that: the protocol layer fault injection test is shown in table 14, for example.

Table 14 protocol layer fault injection test case table

The third step: the protocol layer fault injection test flow is shown in fig. 17.

The fourth step: protocol layer fault injection white box test data is shown in table 15.

Table 15 protocol layer fault injection white box test table

Integrated testing

And assembling all the modules together on the basis of unit testing to perform integration testing, and detecting that all the modules after integration can not work normally.

The integrated test module partitioning is shown in fig. 18.

The system tests each module in the following test sequence:

M1—M2—M6—M7—M8—M9—M3—M10—M11—M4—M12—M13—M5—M14—M15—M16—M17

as shown in Table 16, the integrated test cases are listed according to the test module order, and the expected results and the actual test results are noted.

TABLE 16 integration test case

System test and acceptance test

The system test and acceptance test tests whether the main test system meets the requirements of project indexes and can meet the requirements of users, and the requirements of the system test and acceptance test are shown in table 17.

TABLE 17 SYSTEM TEST AND INSPECTION TEST TABLE

The present invention is capable of other embodiments and its several details are capable of modifications in various obvious respects, all without departing from the spirit and scope of the present invention.