Why are there multiple CAN buses in vehicles?

Question

There are a number of questions on the CAN bus but none (so far as I can tell) that explain why there are several CAN buses in a vehicle. From what I understand many different nodes can be connected to a single CAN bus, so I am not sure why you would need more than one. My only thoughts are that:

A. there is a fairly small limit to how many nodes can be attached to a single CAN bus. But if that is the case I would imagine there must be some inter-CAN connection so that arbitration and error checking can occur (CAN SPEC 2.0).

-- or --

B. Nodes are prioritized as primary, secondary, and tertiary systems and each level has their own CAN bus and these levels only contain devices that are independent of each other in terms of functionality. I.E. brakes, engine control, exterior lights, locks are on the primary bus. Radio, AC, seat control, are on the secondary bus etc etc.

If anyone could explain/clarify I would really appreciate it. Thanks in advance.

Answer 1

The CAN buses are primarily separate to

• manage congestion
• reduce regulatory concerns over safety-critical systems
• exert more control over who can access the various buses

Simple vehicles will have two CAN buses, one for the engine and safety systems, and one for body controls (lighting, user experience, etc).

Complex vehicles will have a separate bus for systems affecting vehicle motion, for instance radar assisted cruise control, parking systems, lane guidance, etc, as well as additional systems for user features beyond simple body controls, such as in vehicle entertainment systems.

While the buses could be shared, there are a few reasons not to do so:

Congestion

Even high speed CAN buses don't have unlimited badnwidth, and in fact compared to modern communications systems they are very slow. However there is still a lot of data they must carry, and most of it is time critical, so maintaining a low utilization allows messages to be delivered more quickly (fewer collisions) which means that real-time messages arrive on time, rather than late.

Testing

Safety critical systems are often separate from other systems so that testing is reduced. All the devices attached to the safety critical bus must have a higher standard of operation and therefore testing in order to be certain they won't cause a problem on a safety critical bus. With a separate body bus you can have slightly lower standards since an outage won't cause a safety issue, therefore testing is reduced.

Rather than combining everything on one bus and making sure everything is up to the higher standards, separate buses allow the designers to segment the bus and reduce costs.

Industry regulations are difficult, particularly since throttle issues and other drive-by-wire problems the industry has experienced in the past. By keeping critical systems separate from non critical systems, finding out what went wrong after the fact, and resolving it becomes much easier, as well as less likely since there are fewer devices that could interfere with the correct operation of the safety system.

Control

Once modders found that they could alter the engine management and other computers through a single interface, vehicle manufacturers have worked to separate the diagnostic connector and its bus from the rest of the vehicle buses, and use a gateway to pass only those messages that they permit user and garage access to. They do usually have additional features permitting their own technician access, and many even add another bus to the diagnostic connector, but without publishing message details, so they can have higher speed access while still maintaining backwards compatibility with diagnostic emissions regulations.

Separating the buses, however, allows them to exert a little more control over who has easy access to the onboard computers using the simple diagnostics connector.

Additional Complexity

The complexity introduced by additional buses is handled by a gateway controller. In some vehicles this is the body controller, and often has other bus connections, such as LIN. This passes messages between buses so that when a diagnostic device is connected, for instance, the device can access all the relevant diagnostic information throughout the vehicle.

Answer 2

When talking specifically about CAN the answer is none of the above.

In a CAN system the nodes do not talk directly to each other, instead the system is message based. Every message has a priority based on its address and that determines who gets to talk. Who ever has the priority message transmits the message to all and who ever needs it reads it in.

There are some limits to how many nodes can be had but that limit is electrical and not a function of the actual bus.

The reason is that high speed CAN is very complicated electrically due to its speed. (I can go on about transmission lines, signal integrity, stubs and termination but this is way beyond what this answer needs) This makes the design complicated and the modules that use it more expensive. Further not everything needs the break neck speed of high speed CAN. The CAN bus system is usually broken down into three buses, low speed, medium speed and high speed.

• High speed CAN connects all the important systems. Engine, ABS, Air Bag, Transmission, Body. The Body computer then serves as the gateway between the other buses.
• Medium speed CAN is usually used for car functions like exterior lighting, power locks, power mirrors etc.
• Low speed CAN picks up the rest of the non critical systems. These can include interior lighting, entertainment etc.

As mentioned previously the CAN bus uses message addresses instead of node addresses. For example, vehicle speed would be a message. This message gets transmitted by the ABS unit and has a fairly high priority. The Engine, Air Bag, Transmission and Body are all interested in the message and read it in. After receiving the message the Body retransmits the message over the other buses. The lower speed buses usually don't need updates as frequent as the highs speed bus so the Body only updates them occasionally.

If a module needs information that is not commonly transmitted a module can request information. The design of the bus is such that when data is requested the module that has the information only knows that the information is needed and not who needs the information.

The gateway does not have to be the Body, it could be the Instrument Cluster or some other computer.

Answer 3

One of the reasons is nicely summed up in this cartoon from 2003:

("New device found: Airbus A310. Start auto configuration? [Start][Cancel]")

Similar attacks have indeed been reported recently. Having the safety critical components on a separate bus which is only accessible through a well-configured gateway greatly reduces the likelihood of inadvertent problems like the one above, and makes hacking much harder.