FrTp uses a go-back-N error-control mechanism: A condition for Valid to be true is. This paper addresses only the unicast acknowledged transfer methods 2 and 3 , leaving multicast transfer for future work. Hence more concurrent operations are possible, leading to increased number of occurrence sequences which increases as increases as illustrated in the selected state space results in Tables 3 and 4. Protocol verification involves proving a protocol holds desired dynamic properties, such as absence of deadlocks, as well as proving that the protocol faithfully implements the desired service specification. Our decision to focus on the core features of FrTp first is part of the incremental approach to protocol verification.

How FlexRay Works – Part 1

In addition, only flexeay basic ISO-compliant frame types are modelled as opposed to the optional extended frames. The guards on these transitions prevent them from occurring if either the maximum number of frames allowed by have been sent or all frames has been sent.

If 8 and the corresponding equation for arcs holds for, then we conjecture that the desired properties will also hold. This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

This approach is based on the fact that any nondeterministic FSA with -transitions, defined in Definition 7can be converted into a canonical form, a minimised deterministic FSA [ 31 ]. Another promising technique to alleviate the state explosion problem is to utilise the sweep-line method [ 36 ]. Using a similar approach as with the size of the state space, we can observe trends in the upper integer bounds of the channels.


Proposition 1 shows, under certain conditions, the desired properties hold for all autoear sizes greater than. In addition, closed-form solutions relating the state space size, retransmission limit, and number of segments are found, giving increased confidence that FrTp is error-free, even for autoear where the state explosion problem arises.

To overcome these limitations, by analysing trends in the state space results and closer inspection of the CPN, observations on the desired properties are made without generating the complete set of state spaces.

For the state space size grows rapidly for even small values of. Seven subpages model details of: This flexeay is used and updated by transitions modelling the generation and reception of frames.

That is, the actions of the sender and receiver are unaffected by the contents of the data fields in each frame. Initially empty, the occurrence of transition TxFrame adds a frame to the tail of the list and RxFrame extracts the frame from the head of the list. Once all data is received by the receiver the total data length is included in the First Framea PACK auttosar sent indicating the successful completion of data transfer.

Two properties that are considered in this paper relate to terminal markings and bounds. The authors would like to thank the anonymous reviewers for their many helpful suggestions for autisar this paper. As no transitions other than depend on and autosatincreasing will not change the set of transitions that can occur.

Verification of the FlexRay Transport Protocol for AUTOSAR In-Vehicle Communications

This includes proving the absence of deadlocks, conformance of the protocol to the service specification, and characterisation of the upper bounds of buffers when a single-protocol data unit is transferred from FrTp sender to receiver. In total there are 15 places and 26 transitions. An example of FrTp with segmented, acknowledged transfer with retries is illustrated in Figure 4.


Frames that can be sent from sender to fkexray all of which can contain data are the following. The duration of symbol window is defined in terms of macroticks which is a multiple of microticks. For instance, FrTp supports block sizes of 1 to The header includes a sequence number to indicate the ordering of the CFs. In addition a confirmation is sent to the sender and passed to the PDU Router as TxConfirmation with the successful flag set.

Although not explicitly stated in the specification [ 4 ], autoar the buffers and channels shall be bounded.

Currently there are no closed form equations for the state space size in these cases. Concepts for the execution are defined in the following. Data Independence As with many protocols, the operation of FrTp is independent of the actual data. Introduction Vehicles today may contain nearly embedded computers, or Electronic Control Units ECUsthat together control the engine, airbags, suspension, seats, as well as provide information to other on-board devices and users e.

A formal modelling language, Coloured Petri nets CPNhas been applied to verify the protocol design. In summary, for most cases in FrTp the transmission of one PDU will not affect the transmission of another.

However as the issue with delayed ACKs can be solved with timing constraints, more practical insights into FrTp could be obtained by integrating time into the CPN and conducting performance analysis.