System Design

Design an Automotive CAN Network

System design walkthrough: CAN bus architecture for a vehicle with 10 ECUs, message prioritization, gateway design, bus load analysis, and diagnostics.

The Prompt

"Design the communication network for a vehicle with 10 ECUs: engine control, transmission, ABS, airbag, body control, instrument cluster, infotainment, ADAS camera, parking sensors, and OBD-II diagnostic port."

Requirements Clarification

CategoryRequirementDetail
FunctionalECU communicationAll 10 ECUs exchange data as needed
Safety-critical messagingEngine, ABS, airbag messages must have guaranteed low latency
DiagnosticsOBD-II port for emissions compliance and shop diagnostics
Gateway routingMessages forwarded between bus segments selectively
DTC loggingEach ECU stores diagnostic trouble codes
Non-functionalLatencySafety-critical messages delivered within 5 ms worst-case
Bus utilizationUnder 40% on safety buses, under 60% on body/infotainment
Fault isolationInfotainment failure must not affect powertrain or chassis
Wiring costMinimize total bus length (fewer wires = lighter = cheaper)
EMC robustnessDifferential signaling, twisted pair, proper termination
Standards complianceISO 11898 (CAN), ISO 14229 (UDS), ISO 15765 (diagnostics over CAN)

Architecture Overview

text
Powertrain CAN (500 kbps)              Chassis CAN (500 kbps)
┌────────┐ ┌────────┐ ┌────────┐      ┌──────┐ ┌────────┐ ┌────────┐
│ Engine │ │ Trans  │ │ OBD-II │      │ ABS  │ │ Airbag │ │ ADAS   │
│ ECU    │ │ ECU    │ │ Port   │      │ ECU  │ │ ECU    │ │ Camera │
└───┬────┘ └───┬────┘ └───┬────┘      └──┬───┘ └───┬────┘ └───┬────┘
    │          │          │               │         │          │
────┴──────────┴──────────┴───────   ─────┴─────────┴──────────┴──────
              │                                     │
         ┌────┴─────────────────────────────────────┴────┐
         │              Gateway ECU                       │
         │  - Selective message routing                   │
         │  - Firewall (infotainment cannot write         │
         │    to powertrain/chassis)                      │
         │  - Protocol translation (CAN / CAN-FD / LIN)  │
         └────┬─────────────────────────────────────┬────┘
              │                                     │
────┬─────────┴──────────┬────────   ───────┬───────┴───────┬─────────
    │                    │                  │               │
┌───┴────┐ ┌─────────┐ ┌┴────────┐   ┌─────┴──────┐ ┌─────┴────┐
│ Body   │ │Instru-  │ │Parking  │   │Info-       │ │ Rear     │
│ Control│ │ment     │ │Sensors  │   │tainment    │ │ Camera   │
│ ECU    │ │Cluster  │ │         │   │ Head Unit  │ │          │
└────────┘ └─────────┘ └─────────┘   └────────────┘ └──────────┘
Body CAN (125 kbps)                   Infotainment CAN (500 kbps)

Four separate buses connected through a central gateway. This is the standard architecture for modern vehicles at this complexity level.

Component Deep Dive

Bus Segmentation

Why not put all 10 ECUs on a single CAN bus?

Fault isolation — A short circuit or babbling ECU on the infotainment bus must not bring down the powertrain bus. Safety-critical functions (engine, ABS, airbag) operate independently even if the entertainment system crashes.

Bandwidth management — The ADAS camera may stream object data at high rates. Mixing this with engine RPM messages on the same bus would push utilization dangerously high.

EMC and routing — Safety buses use higher-quality twisted pair with tighter routing constraints. Infotainment wiring can be more relaxed, saving cost.

Bus SegmentSpeedECUsRationale
Powertrain CAN500 kbpsEngine, Transmission, OBD-IITight real-time control loops, emissions diagnostics
Chassis CAN500 kbpsABS, Airbag, ADAS CameraSafety-critical, fast response needed
Body CAN125 kbpsBody Control, Instrument Cluster, Parking SensorsLower-speed comfort functions, lighting, wipers
Infotainment CAN500 kbpsHead Unit, Rear CameraHigh data rate for media/display, non-safety

Message ID Assignment

CAN uses an arbitration-based bus access scheme. Lower message ID wins arbitration, so lower IDs have higher priority. This is not configurable at runtime — it is baked into the network design.

Powertrain CAN message table:

MessageCAN ID (hex)SenderPeriodSizePriority
Engine RPM + Torque0x100Engine ECU10 ms8 bytesHighest
Throttle Position0x110Engine ECU10 ms4 bytesHigh
Gear Request0x120Transmission ECU20 ms4 bytesHigh
Gear Status0x130Transmission ECU20 ms4 bytesHigh
Coolant Temp0x200Engine ECU1000 ms2 bytesLow
Oil Pressure0x210Engine ECU1000 ms2 bytesLow
Diagnostic Request0x7DFOBD-II ToolOn-demand8 bytesLowest
Diagnostic Response0x7E0-7E7ECUOn-demand8 bytesLowest

Chassis CAN message table:

MessageCAN ID (hex)SenderPeriodSizePriority
Wheel Speed (4 wheels)0x0A0ABS ECU5 ms8 bytesHighest
Brake Pressure0x0B0ABS ECU10 ms4 bytesHighest
Airbag Status0x0C0Airbag ECU100 ms2 bytesHigh
Crash Detection0x010Airbag ECUEvent-driven4 bytesCritical
ADAS Object List0x300ADAS Camera50 ms8 bytesMedium
ADAS Lane Data0x310ADAS Camera50 ms8 bytesMedium

ID assignment strategy:

  • Reserve 0x000-0x0FF for safety-critical, time-critical messages
  • Reserve 0x100-0x2FF for periodic control data
  • Reserve 0x300-0x5FF for sensor/status data
  • Reserve 0x600-0x6FF for network management (NM)
  • Reserve 0x700-0x7FF for diagnostics (UDS/OBD-II standard range)

Bus Load Analysis

This is a key calculation interviewers expect. A CAN bus that is too heavily loaded causes message delays and missed deadlines.

Formula:

text
Utilization = SUM(message_rate_i * bits_per_frame_i) / bus_bitrate * 100%

Bits per standard CAN frame (worst-case with bit stuffing):

  • 8-byte data payload: 44 bits overhead + 64 bits data + up to 24 stuff bits = approximately 132 bits
  • Simplified: use 130 bits per 8-byte frame for estimation

Powertrain CAN worked example (500 kbps):

MessagePeriodRate (msg/s)Bits/frameBits/s
Engine RPM + Torque10 ms10013013,000
Throttle Position10 ms10011011,000
Gear Request20 ms501105,500
Gear Status20 ms501105,500
Coolant Temp1000 ms19090
Oil Pressure1000 ms19090
Total35,180

Utilization = 35,180 / 500,000 = 7.0%

This is well under the 40% target for safety buses. Even adding 10 more messages would keep the bus comfortably loaded.

Why the 30-40% rule?

  • CAN arbitration delays grow non-linearly as utilization increases
  • At 70%+ utilization, low-priority messages can be starved for hundreds of milliseconds
  • Safety standards (ISO 26262) require worst-case latency guarantees, which are only achievable at low utilization
  • Rule of thumb: under 30% for ASIL-C/D buses, under 50% for ASIL-A/B, under 70% for non-safety

Gateway ECU Design

The gateway is the central nervous system of the vehicle network. It connects all four bus segments and controls what crosses between them.

Core functions:

  1. Selective routing — Only forward messages that the destination bus needs. Engine RPM is forwarded to the instrument cluster (body CAN) but not to infotainment.

  2. Firewall / security — The infotainment head unit (connected to Bluetooth, WiFi, and USB) is a potential attack surface. The gateway must never forward write-requests from infotainment to powertrain or chassis. This is a hard security boundary.

  3. Rate limiting — If an ECU starts flooding (babbling node fault), the gateway can drop excess messages to protect other buses.

  4. Protocol translation — If body electronics use LIN sub-buses (e.g., seat motors, mirror adjust), the gateway bridges CAN to LIN. If ADAS uses CAN-FD for larger payloads, the gateway translates CAN-FD frames to classic CAN.

Routing table example:

Source BusMessageDestination BusAction
PowertrainEngine RPM (0x100)Body (Cluster)Forward
PowertrainEngine RPM (0x100)InfotainmentForward (read-only)
ChassisWheel Speed (0x0A0)PowertrainForward (traction control)
ChassisCrash Detection (0x010)All busesBroadcast
InfotainmentMedia StatusBody (Cluster)Forward
InfotainmentANY write to 0x000-0x2FFPowertrain/ChassisBLOCK
BodyDoor Lock StatusInfotainmentForward

Diagnostics (UDS over CAN)

Every modern vehicle must support standardized diagnostics for workshop repair and emissions testing.

Protocol stack:

text
┌─────────────────────────────┐
│ UDS (ISO 14229)             │  Application: read DTCs, flash ECU, read PIDs
├─────────────────────────────┤
│ ISO-TP (ISO 15765-2)        │  Transport: segment messages longer than 8 bytes
├─────────────────────────────┤
│ CAN (ISO 11898)             │  Data link: physical bus access
└─────────────────────────────┘

Key diagnostic services:

UDS ServiceID (hex)Purpose
DiagnosticSessionControl0x10Enter default, extended, or programming session
ECUReset0x11Soft/hard reset an ECU
ReadDataByIdentifier0x22Read calibration data, serial number, SW version
ReadDTCInformation0x19Retrieve stored diagnostic trouble codes
ClearDTCInformation0x14Clear stored DTCs after repair
RoutineControl0x31Run self-tests, actuator tests
RequestDownload0x34Begin ECU firmware reflash
TransferData0x36Send firmware data blocks

OBD-II compliance:

  • The OBD-II port is physically located on the powertrain CAN bus (required by regulation)
  • Standard request ID: 0x7DF (functional broadcast to all ECUs)
  • Standard response IDs: 0x7E0 through 0x7E7 (one per responding ECU)
  • Required PIDs: engine RPM, vehicle speed, coolant temp, fuel system status, oxygen sensor readings
  • Emissions-related DTCs must be accessible to any generic OBD-II scan tool

DTC storage per ECU:

  • Each ECU maintains a DTC table in non-volatile memory (EEPROM or emulated Flash)
  • DTC format: 3-byte code (e.g., P0301 = cylinder 1 misfire) + status byte (confirmed, pending, history)
  • Freeze frame data: snapshot of operating conditions when DTC was set (RPM, temp, speed, load)
  • Typical storage: 20-50 DTCs per ECU with freeze frames

CAN Classic vs CAN-FD Decision

FeatureCAN Classic (ISO 11898-1)CAN-FD (ISO 11898-1:2015)
Max data payload8 bytes64 bytes
Arbitration speedUp to 1 MbpsUp to 1 Mbps (same)
Data phase speedSame as arbitrationUp to 8 Mbps
Bit stuffing overheadHigher (relative)Lower (relative to payload)
Backward compatibilityUniversalRequires all nodes on bus to support FD
TransceiverStandardFD-capable transceiver needed
Typical usePowertrain, body, chassisADAS, gateway, ECU flashing
Silicon maturity30+ years, every MCUWidely available since approximately 2018

Recommendation for this design:

  • Powertrain and chassis CAN: Stay with CAN classic at 500 kbps. 8-byte frames are sufficient for RPM, torque, wheel speed, and brake pressure. Proven, reliable, every ECU supports it.
  • Infotainment/ADAS CAN: Use CAN-FD at 500 kbps arbitration / 2 Mbps data phase. The ADAS camera needs to send object lists (position, velocity, classification for multiple objects) that exceed 8 bytes. CAN-FD's 64-byte frame avoids fragmentation.
  • Gateway: Must support both CAN classic and CAN-FD interfaces. Modern gateway MCUs (e.g., S32K3 series, TC3xx) have mixed CAN/CAN-FD controllers.

Key Design Decisions

DecisionOptions ConsideredChoiceRationale
Number of buses1 (single bus), 2, 4, 64 busesBalance of isolation, wiring cost, and complexity
Bus speed (safety)125 kbps, 250 kbps, 500 kbps500 kbps5 ms latency target with margin
Bus speed (body)125 kbps, 250 kbps125 kbpsSufficient for slow comfort functions, cheaper transceivers
Gateway topologyDistributed, centralizedCentral gatewaySimpler routing, single firewall point, easier testing
CAN-FD adoptionAll buses, ADAS only, noneADAS + infotainment onlyBackward compatibility on powertrain, FD needed for camera data
Diagnostic protocolProprietary, UDS, KWP2000UDS (ISO 14229)Industry standard, OBD-II compliance, tool support
Security modelNone, gateway firewall, SecOCGateway firewall + SecOC on safety messagesBlocks external attacks, authenticates critical frames

What Interviewers Evaluate

Understanding of CAN arbitration and priority — The candidate should explain that lower CAN IDs win arbitration, and that message ID assignment is a system-level design choice with real-time implications. Show the ID table and explain why crash detection gets the lowest ID on the chassis bus.

Bus load awareness — Work through the utilization calculation on the whiteboard. Interviewers want to see that you know how to estimate bandwidth consumption and why exceeding 30-40% on safety buses is dangerous. Show the formula, plug in real numbers, and verify the result is within budget.

Safety isolation thinking — The most important architectural question is: why separate safety-critical buses from infotainment? The answer combines fault isolation (a crashed head unit must not affect ABS), security (Bluetooth/WiFi attack surface must not reach powertrain), and EMC (safety wiring has stricter requirements). This is an ISO 26262 concern that interviewers specifically probe.

Gateway as a security boundary — With connected vehicles, the infotainment system is an attack vector (Bluetooth, WiFi, USB, cellular). The gateway must enforce a strict firewall: no write access from infotainment to powertrain or chassis buses. Demonstrate awareness of the 2015 Jeep Cherokee hack as motivation for this isolation.

Diagnostics knowledge — Mention UDS, ISO-TP, and the OBD-II standard CAN IDs (0x7DF request, 0x7E0-0x7E7 response). This signals real-world automotive experience. Bonus points for discussing DTCs, freeze frames, and the distinction between functional and physical addressing.