Principals of Operation
Last updated
Last updated
The Mazda steering column has four torque sensors built-in to the steering column. These four sensors work as two redundant pairs. If a fault is detected by the EPS module on one of the pairs, the EPS will continue to function but it will trigger a light on the vehicle dashboard. If a fault is detected on both pairs, the EPS will be disabled until the next power cycle. These pairs each have an independent power supply from the EPS module circled in red in the image below. The TI2 is able to use this redundancy to meet the stock EPS systems’ functional safety level.
The TI2 has 4 microcontrollers, where each microcontroller(MCU) is wired to one of the four torque sensors and its corresponding input to the EPS module. The MCUs do not communicate with each other to control the steering. In this way, they are independent of each other. These four MCUs are split into pairs where each pair has a separate power supply. In this way, they act as redundant pairs which match the same wiring configuration as the stock EPS system.
There is only one CAN transceiver on the TI2. Redundant CAN communication is not required in order to maintain the functional safety level. This is the primary reason there is a designated master MCU. The master is responsible for reporting the states and errors of each MCU via I2C and then transmits all the MCU states on the CANbus. The master is the only MCU that can transmit CAN frames. If the master goes into an error state, CAN transmission may end depending on the error.
When the MCU comes out of reset, it enters the bootloader. The bootloader will check the cause of the reset. If the reset is caused by a watchdog timer it will stay in bootloader mode and wait for CAN bus commands to reflash the device. This is the primary way to reflash the device. Any other reset cause will allow the MCU to proceed to verify the application flash using a CRC32 header. If this fails it will remain in the bootloader.
Upon entering the main application, the MCU will enter the INIT state and will check the reset cause. If the reset cause is abnormal it will cause the MCU to enter the CRICIAL_ERROR state, otherwise, it will set a violation to indicate the reset cause and proceed in the INIT state. See DS70602B for details on resets. Then the MCU will initialize the peripherals and interrupts. Then the device will use the ID pins to determine which MCU it is, 0 (Master), 1,2, or 3. This ID is used to enable the I2C master or I2C slave driver and to set CAN listen-only mode or CAN normal mode. See DS70000195G for information on the I2C peripheral and DS70005340B for information on the CAN peripheral. If the MCU is still in the INIT state, it sets the STANDBY state. If the MCU is in an ERROR state, the MCU will enter the error_hander() which will keep the MCU in bypass until reset.
