One-page pipeline map (how the page is organized)

Sleep → Bus activity → Filter → Wake decision → Host wake → Network resume

Each block above maps to a later chapter: filter strategy, false-wake control, measurement, diagnostics, and selection.

Next decisions (what to pin down early)

• Define wake sources and an attribution schema before tuning filters.
• Decide the service/OTA update policy for filter tables to avoid field-side surprises.
• Set KPIs for standby Iq and false wake rate to keep later validation objective.

Partial networking is not about saving a little current on a single node. Its value comes from scale: as node count grows, standby current adds up linearly, while false wakes create a nonlinear system cost (multiple ECUs and domains may power up together). The goal is targeted wake—wake only the ECUs that must act.

Standby current budget (engineering accounting, not marketing)

A useful budget separates what is unavoidable (always-on domain) from what can be kept in selective-wake listening. The accounting below keeps later measurement and validation objective.

Practical tip: budget by domain (body/comfort, gateway, always-on) rather than by a flat ECU list—this avoids mixing incomparable standby modes.

Wake event cost (why false wakes hurt)

A false wake is not only a momentary interrupt. It is often a chain reaction: one wake source triggers policy logic, powers multiple rails, starts clocks, logs events, and may wake adjacent domains through the gateway. That is why false-wake control is a first-class requirement, not a late-stage tweak.

• Energy: domain power-up + MCU active time + bus traffic during resume.
• Wear: repeated power cycling, thermal cycling, and NVM write amplification from event logging.
• Field behavior: parked battery drain and hard-to-reproduce “night wake” complaints.

KPIs to lock before implementation (placeholders)

• Standby Iq: ≤ X (by domain / by ECU role).
• False wake rate: ≤ Y per day (measured with defined harness/noise conditions).
• Attribution coverage: ≥ Z% wake events tagged with a source and filter hit ID.

These KPIs directly drive later chapters: filter strategy, false-wake robustness knobs, measurement setup, and diagnostics logging.

Next decisions (to keep the project controllable)

• Define the domain split and which ECUs must remain always-on versus PN-listening.
• Write the wake attribution fields (source, filter-hit ID, timestamp, version) before tuning filters.
• Lock KPI placeholders (X/Y/Z) and measurement conditions so validation does not drift later.

Outputs to lock (engineering deliverables)

• Min-set ID/mask: smallest mask coverage that matches the intended wake intents without table explosion.
• Second-stage checks: DLC and payload match rules that suppress noise-like frames and unintended IDs.
• Priority & conflicts: deterministic hit order and a defined default for “no hit”.
• Lifecycle governance: versioning, OTA update rules, rollback, and service bypass controls.
• Evidence hooks: filter_hit_id / pattern_id and policy_version for attribution and debugging.

Min-set ID/mask design (avoid table explosion)

Mask design works best as a two-stage funnel: a fast, broad ID/mask pre-filter that limits candidate frames, followed by a stricter DLC/payload match that collapses false positives. The goal is coverage with compression.

1. Group by wake intent (diagnostic, comfort action, safety/critical intent) instead of per-ECU lists.
2. Cluster IDs into maskable families (prefix/contiguous ranges) to reduce entries.
3. Close the funnel using DLC/payload rules to prevent broad masks from waking on unrelated traffic.

Practical rule: coarse masks are acceptable only if a second stage removes the most common false hits.

DLC and payload match (reduce false wakes without missed wakes)

• Prefer stable fields: service/function codes over volatile counters or rolling values.
• Use compatibility groups: allow an OR-set of acceptable patterns if software evolves over time.
• Plan for OTA changes: if payload semantics may change, require policy_version discipline and rollback.

Table strategies (whitelist, pattern-based, service bypass)

Lifecycle governance (factory → OTA → service)

• policy_version: every shipped table is versioned and logged with each wake event.
• Rollback: a fail-safe path exists if an OTA policy increases missed wakes or false wakes.
• Compatibility: mixed-version nodes must not break core wake intents during rollout.
• Audit: bypass enablement is time-bounded and recorded (who/when/how long/how many wakes).

Next decisions (to keep the table controllable)

• Freeze an attribution schema: wake_source + filter_hit_id + policy_version.
• Define service bypass governance: time-bounded, logged, and reversible.
• Specify hit priority rules so behavior remains deterministic across updates.

PN state machine (roles and transitions)

Active → Prepare-sleep → PN listening → Wake pending → Active. Each transition must be observable through a defined status bit, pin, or log event so that field failures are reproducible.

Sleep entry conditions (define “true PN listening”)

• Bus idle: bus inactivity holds for ≥ X ms (placeholder) before entering PN listening.
• Host handshake: MCU/SBC grants low-power entry (placeholder signal/flag).
• Transceiver mode: PN listening mode is confirmed by a readable status or event record.

Without these three definitions, “it was asleep” becomes untestable, and false-wake investigations become guesswork.

Wake latency as segments (assign responsibility)

1. Detect latency: activity → match → wake asserted (transceiver + filter pipeline).
2. Host wake latency: wake asserted → host ready (clock, reset, interrupt response, policy).
3. Network resume latency: host ready → resume traffic (gateway/ECU resume policy window).

Segmenting latency prevents misdiagnosis: slow resume is not always a transceiver issue.

Activity windows and debouncing (edge cases without waveform details)

• Detect window: require minimum activity duration ≥ A (placeholder) to ignore short spikes.
• Confirm window: second-stage match completes within B (placeholder) for a valid wake.
• Cooldown window: ignore re-triggers for C (placeholder) after a valid wake to suppress chatter.
• Evidence: count “activity with no hit” to separate noise from intended wake traffic.

Next decisions (to prevent timing ambiguity)

• Define “true PN listening” via bus idle, host handshake, and transceiver mode confirmation.
• Measure latency by segments (detect/host/resume) to avoid misattribution during debug.
• Introduce counters for “activity with no hit” to separate noise from intended wake traffic.

Scope lock (what is controlled here)

• Controlled: symptom classification, attribution evidence, filter/timing/policy knobs, and KPI definitions.
• Not expanded: CMC/TVS component implementation or detailed EMC layout; route those to EMC/Protection subpages.
• Not expanded: CAN FD waveform/sampling-point analysis; route those to PHY-focused pages.

False-wake source buckets (observable patterns)

Robustness knobs (control levers + trade-offs)

KPIs and measurement scope (placeholders)

• False wake rate: ≤ X/day over a defined off/locked window (24–72 h), temperature and battery range as placeholders.
• Attribution completeness: ≥ Z% of wake events have wake_source + policy_version (+ hit_id if applicable).
• Activity-no-hit counter: tracked to separate coupling noise from intended wake traffic.

Fast control loop (field-friendly)

1. Classify: check wake_source, filter_hit_id, and “activity-no-hit” counters.
2. Decide knob: noise-like activity → timing knobs; unintended matches → filter knobs; drift after stress → confirm + audit.
3. Freeze evidence: bind changes to policy_version and rerun the same KPI window.

Pass criteria placeholders (how to fill X/Y/Z)

Use a single KPI window definition across stages (off/locked duration, temperature range, battery range). Keep thresholds consistent across variants, then tighten only after attribution completeness is stable.

Lock the measurement definition first

• State proof: verify the DUT is in PN listening (not only “MCU asleep”) via mode/status evidence.
• Stabilization window: wait X minutes after entering PN listening before sampling Iq.
• Scope flags: mark service bypass, diagnostics, and remote/timed wake policies in every run record.

Standby Iq traps (how measurements get biased)

Fast sanity check: if Iq strongly depends on instrument range, harness routing, or fixture choice, the setup is dominating the result.

Standardize the topology (where to measure and what to timestamp)

• Power path: PSU → Iq meter (or shunt measurement point) → DUT.
• Signal path: CAN tool injects patterns and load profiles, independently logged.
• Time anchors: record T_enter_PN and T_sample_start for every run.

Wake sensitivity (repeatable injection contract)

• Controlled input: pattern generator defines frame content, cadence, repetition count, and bus load profile.
• Noise profiles: test with spikes, bursts, and long-idle rare events (defined profiles, not ad hoc noise).
• Outputs: wake success rate, wake latency distribution (P50/P95 placeholders), and spurious triggers.

Required run record fields (for comparability)

Minimal service data set (versioned and small)

• timestamp: consistent time base (placeholder) for ordering and replay.
• wake_source: bus / local / timed / remote / diagnostic (enumerated).
• filter_hit_id or pattern_id: present when selective-wake evidence exists.
• policy_version and filter_table_version: required for comparability.
• outcome: wake_valid / spurious / ignored (policy-dependent placeholder).

Counters that close the loop

• wake_events_by_source: counts per wake_source (rolling window placeholder).
• filter_hits / filter_misses: evidence of intended vs unintended matches.
• false_wake_suspects: events failing second-confirm or policy validation.
• activity_no_hit: activity detected but no match (coupling/noise indicator).
• rate_limited_wake: suppressed by cooldown windows (chatter indicator).

Each counter must specify: window definition and reset policy (key-on, service reset, or rolling).

Fault injection (validate diagnostics, not to “break” the system)

• bus wake injection: send matching / non-matching / boundary frames and verify counters + records.
• local wake injection: toggle local wake input and verify wake_source attribution.
• hit/miss forcing: select specific filter entries and confirm filter_hit_id behavior.
• acceptance: records are complete (required fields) and ring buffer replay is consistent.

Minimal ASIL-facing visibility (hook principles)

• PN state: Active / PN listen / Wake pending (enumerated).
• last_wake_source: last classified source (enumerated).
• diagnostic flag: threshold-based alert derived from counters (placeholder).
• policy_version: the active strategy version for traceability.

Scope note: only interface hooks and minimal data are defined here; full safety standard processes are intentionally out of scope.

Isolation topology patterns (with example material numbers)

Notes: material numbers above are examples to anchor selection logic; always verify package, suffix, automotive grade (AEC-Q), and availability.

Decision tree (requirements-first)

1. Isolation rating: reinforced vs basic; check working voltage / creepage / surge expectations.
2. dv/dt environment: choose CMTI headroom for switching events; prioritize correct return-path strategy.
3. CAN FD timing: data rate + harness loading define loop-delay and symmetry margin requirements.
4. Isolated power: integrated iso DC/DC vs external rails; match EMI/noise budget and wake sequencing.
5. Low-power: standby current, wake sources, false-wake tolerance, and how wake attribution is reported.
6. Diagnostics: fault observability for service (bus/local/power) and safety hooks for monitoring.

Spec-to-risk mapping (what each spec protects against)

Practical rule: every “must-have spec” must pair with a “how to verify it in the real harness” plan.