This page owns

• Active star vs repeater behaviors: isolation, replication, fault policy, diagnostics.
• Topology-level reliability: fault propagation paths, redundant routing, serviceability.
• System-relevant timing impacts: added latency, symmetry, and measurement hooks.

Mention only (link out)

• FlexRay transceiver electrical internals (drive/ESD/short): Transceiver page.
• Controller scheduling (static/dynamic segments): Controller page.
• CMC/TVS/termination component details: EMC/Protection page.

Exclude

• Protocol history and frame-format walkthroughs (only referenced as needed).
• Deep component selection lists (kept in the EMC/Protection hub).
• Full ECU network planning (kept in the domain index / gateway pages).

Repeater

• Goal: extend reach / regenerate edges.
• Primary levers: signal integrity, propagation delay, branch loading.
• Failure behavior: often still “shared fate” if the topology remains effectively bus-like.
• Diagnostics: typically limited (may not attribute faults per branch).

Active Star Coupler

• Goal: controlled replication + port-level fault containment.
• Primary levers: isolation policy, redundancy handling, diagnosable events.
• Failure behavior: “branch fault → branch isolation,” preserving other ports.
• Diagnostics: counters/logs for isolate/recover attempts and fault attribution.

1) Stronger isolation

A misbehaving branch becomes an isolated port, not a system-wide disturbance. Evidence: isolate events, per-port health states, recovery attempts.

2) More controllable redundancy

Central fan-out enables consistent A/B behavior, clearer failover decisions, and fewer “hidden coupling” paths. Evidence: deterministic latency deltas and failover logs.

3) Better diagnostics

Failures become attributable (which port, what fault class, what action taken), enabling faster triage and higher serviceability.

Star node

One central coupler with multiple branches. Primary focus: branch containment + centralized diagnostics.

Cascaded stars

Multiple star stages used for distance/partitioning. Key risk: cumulative latency and skew; budgeting becomes mandatory.

Dual-star

Redundant central nodes for higher availability. Key design task: define failover rules and verify deterministic-latency behavior.

Repeater

Hub (generic)

Active Star Coupler

Guardian

Controller

• Owns: timing rules and message behavior (what/when).
• Evidence: schedule consistency, frame timing, logical error counters.
• Typical failure look: consistent mis-timing across nodes, wrong configuration correlations.
• Scope note: static/dynamic segment details belong to the Controller page.

Transceiver

• Owns: electrical I/O behavior (drive, thresholds, protection).
• Evidence: waveform amplitude/edges, common-mode behavior, protection/thermal events.
• Typical failure look: edge distortion, susceptibility to harness/EMI, short-to-bat/ground effects.
• Scope note: device-level electrical internals belong to the Transceiver page.

Coupler / Active star

• Owns: topology behavior: replication, port gates, fault containment, redundancy handling.
• Evidence: per-port isolation state, isolate/recover counters, port attribution in logs.
• Typical failure look: one branch triggers isolation; other ports remain stable; recover behavior is observable.
• System impact: added latency and symmetry constraints (budgeted as a topology element).

ECU direct attach

• Best for: fewer nodes, shorter harness, simpler fault expectations.
• What breaks first: shared-fate disturbance (one bad branch impacts many).
• Log focus: global error counters + waveform sanity on the trunk.

Aggregated by active star

• Best for: many branches, serviceability, and port-level containment requirements.
• What breaks first: cumulative latency/symmetry if budgeting is skipped; false isolation if thresholds are mis-tuned.
• Log focus: per-port isolation state + recovery attempts + attribution.

1) Input detect

Inputs are normalized for replication decisions (validity, timing window, basic plausibility). Evidence: input status flags and per-channel health.

2) Replication matrix

Traffic is copied to eligible ports; segmentation determines which ports participate. Evidence: port enable/disable and forwarding state.

3) Port gates

Each port has a gate that can block forwarding when a fault class is detected. Evidence: isolate state + block reason + duration.

4) Diagnostics & recovery

Actions become attributable: which port, which fault, which decision, what outcome. Evidence: isolate/recover counters and event logs.

Short / open / severe electrical fault

• Gate action: fast isolate to stop branch dragging the network.
• Quick check: isolate event aligns with the first abnormal port health flag.
• Pass criteria: other ports’ error counters remain within X over Y.

Stuck-dominant / babbling behavior

• Gate action: suppression / block based on policy (guardian-like behavior).
• Quick check: block reason codes show behavior fault vs electrical fault.
• Pass criteria: blocked port cannot flood replication matrix; utilization stabilizes.

Noisy branch / EMI-induced instability

• Gate action: isolate only after confidence threshold (avoid false isolate).
• Quick check: correlate isolates with noise indicators or environmental conditions.
• Pass criteria: false-isolate rate ≤ X / day at target EMC conditions.

Port front-end

• Owns: receive/drive boundary, input qualification, optional reshaping/retiming.
• Dominates: baseline delay floor + sensitivity to input quality.
• Evidence: per-port health flags and input-valid indicators.

Switching / replication matrix

• Owns: copy/forward paths (broadcast, groups, filters).
• Dominates: port-to-port skew if paths differ.
• Evidence: forwarding state and participation masks.

Fault manager (state machines)

• Owns: isolate/recover policy, confidence thresholds, debouncing.
• Dominates: false isolate vs missed isolate trade-off.
• Evidence: isolate reason codes, action outcomes, durations.

Timebase / monitor + counters

• Owns: relative delay/phase observation, counters, event capture.
• Dominates: diagnosability and field correlation quality.
• Evidence: event logs aligned to port actions.

Broadcast copy

• Meaning: forward to all eligible ports.
• Risk: demands robust port gating to prevent one bad branch from affecting many.
• Evidence: participation masks match intended topology.

Group copy

• Meaning: ports are segmented into replication domains.
• Benefit: limits blast radius; simplifies attribution.
• Evidence: domain membership is observable and stable.

Filtered copy

• Meaning: forwarding depends on rules (policy inputs).
• Risk: rule drift can mimic timing issues if not logged.
• Evidence: rule hits are counted and attributable.

Port front-end delay

Sets the baseline delay floor. Retiming (if present) improves determinism but adds a measurable fixed term plus drift.

Replication delay

Depends on matrix routing and the number of participating ports. If paths differ, mismatch grows and must be budgeted explicitly.

Output + gate delay

The forwarding gate and output stage must remain stable across isolate/recover actions; discontinuities here create “two-step” latency behavior.

Fixed term

• Nominal delay (typ) + device-to-device spread.
• Include port-to-port routing differences if present.

Temperature drift

• Budget Δdelay across -40°C to +125°C.
• Track mismatch drift separately from mean drift.

Load-dependent term

• Port participation count and harness loading can move delay and skew.
• Budget for worst-case replication participation patterns.

Short / Open

• Evidence: port health flag + abrupt error counter jump + (optional) current/thermal event.
• Policy: fast isolate is justified when evidence is high-confidence.

Dominant stuck

• Evidence: persistent occupancy pattern + behavior reason code + repeated local violations.
• Policy: isolate quickly, but always log a behavior-class reason (not electrical).

Babbling idiot

• Evidence: abnormal utilization + repeated flooding windows + gate action frequency.
• Policy: tiered response (throttle → isolate) to avoid unnecessary downtime.

Noisy node

• Evidence: bursty errors + environment correlation + confidence counter accumulation.
• Policy: anti-false-isolate gating (require repeated confirmation before isolating).

Ground shift

• Evidence: multi-port simultaneous degradation + power events + A/B common behavior.
• Policy: treat as system-common cause; avoid sequentially “blaming” every port.

Fast signals

Direct, high-confidence indicators that justify immediate isolation actions (typical for short/open and persistent stuck conditions).

Behavior signals

Windowed statistics (utilization, error bursts, repeated policy violations) that require a defined observation window and debouncing.

Confidence signals

Multi-hit confirmation used to prevent false isolation in noise-like cases; supports gradual escalation and evidence capture.

Rule 1 · Fast isolate

• Apply when evidence is high-confidence and blast radius is large.
• Action: gate block + freeze evidence snapshot + reason-coded event.
• Pass criteria: post-isolate stability meets X errors per Y time window.

Rule 2 · Anti-false-isolate

• Apply to bursty, environment-correlated instability.
• Action: require ≥ N confirmations over ≥ T before isolating.
• Pass criteria: false isolate rate ≤ X per hour under test conditions.

Rule 3 · Common-cause guard

• When multiple ports degrade together, treat as system-level cause first.
• Action: raise system alarm mode; avoid sequential port “blame” isolation.
• Pass criteria: isolate actions remain bounded (≤ X ports) during common-cause events.

Identity

port_id, channel (A/B), topology domain (if segmented)

Cause + action

fault_class, reason_code, action (block/throttle/retry), outcome

Time + snapshot

timestamp, duration, counter snapshot aligned to the decision window

Bus vs Star

Bus termination is typically “two ends.” Star termination becomes a domain decision (center vs branch vs segmented groups) driven by hotspot risk and branch mismatch.

Split termination

Used as a common-mode control lever. In star, it is often evaluated at the center as a system reference tool, not as a per-branch afterthought.

Decision lens

• Is the center a radiation hotspot?
• Are branch loads mismatched?
• Is domain segmentation required?

Port-parallel baseline

• Source: multiple active ports (Rx/Tx front-ends, monitors) running concurrently.
• Accounting: define an activity profile per port (idle / listen / replicate / isolated).
• Risk: “all-ports-on” assumptions hide realistic hotspot modes.

Drive/load-dependent power

• Source: harness load and termination domains change output-stage dissipation.
• Accounting: budget “worst-branch” and “typical-branch” separately.
• Risk: center heats unevenly when one branch dominates activity.

Replication & policy overhead

• Source: replication matrix activity, fault-manager actions, logging bursts.
• Accounting: treat “replication domain size” as a tunable variable.
• Risk: fault storms can raise dynamic power and trigger thermal cascades.

Stage 1 · Reduce replication

Shrink replication domains to cut dynamic power first; keep core connectivity alive while lowering thermal load.

Stage 2 · Port capability limit

Apply output limiting / feature limiting (when supported) before isolating ports, to avoid unnecessary topology fragmentation.

Stage 3 · Selective isolation

Isolate non-critical branches and preserve priority domains; log thermal-triggered actions with reason codes.

Stage 4 · Hard shutdown

Use only as last resort; define recovery entry conditions to prevent repeated brown-out cycles.

Single star (single hotspot)

• Center failure can remove multiple domains at once.
• Thermal limits become network availability limits.
• Isolation policy must minimize avoidable downtime.

Dual-star / cascaded-star

• Reduces single-point blast radius with redundant paths.
• Adds consistency and correlation requirements across centers.
• Requires a clear “degraded but safe” definition for each domain.

Error counters

Per-port, per-channel (A/B) counters aligned to a defined window; supports correlation with waveform/thermal observations.

Isolation events

Reason-coded triggers, action type, and the evidence window that justified isolation (fast vs confidence-based).

Recovery attempts

Attempt count, retry schedule state, outcome, and whether re-isolation occurred; essential for oscillation detection.

Minimum fields

• timestamp
• port_id + channel (A/B)
• fault_class + reason_code
• action (block/throttle/retry)
• outcome (success/re-isolate)

Recommended fields

• counter snapshot (aligned window)
• temperature bin + supply state
• topology mode + replication domain
• retry budget state

ASIL interface hooks

• port safe state / degraded mode indication
• reason-code consistency for critical events
• bounded recovery behavior under faults

Fault injection points

• synthetic port fault / counter anomalies
• forced recovery failure to verify escalation
• event freeze trigger verification

• Cycle & bandwidth budget (static/dynamic windows). Evidence: one-page budget sheet. Pass: margins ≥ X%.
• Static schedule concept rows (message class → slot policy → redundancy A/B rule). Evidence: schedule spec. Pass: worst-case E2E latency ≤ X.
• Dynamic policy (minislot/priority/anti-starvation). Evidence: priority tiers + burst guard. Pass: P99 response ≤ X.
• Host resource budget (CPU ISR load, queue depth, log buffer). Evidence: worst-case analysis. Pass: headroom ≥ X%.
• Observability contract (counters, timestamps, reason codes). Evidence: “black-box field list.” Pass: a single log capture can classify the fault domain.

• Startup convergence: INIT→LISTEN→INTEGRATE→NORMAL. Evidence: state transition log + reason codes. Pass: enter NORMAL in ≤ X cycles; retries ≤ X.
• Sync stability: offset/rate trends and “cycle slip” counters. Evidence: sync-status timeline. Pass: |offset| ≤ X; slips ≤ X per hour.
• Static segment correctness: missed-slot / window-miss events. Evidence: per-slot miss histogram. Pass: misses ≤ X per Y minutes.
• Dynamic segment latency tail: measure P95/P99. Evidence: response-time buckets by priority. Pass: P99 ≤ X; no starvation events.
• Fault confinement sanity: correlate confinement transitions with counters and host load. Evidence: “before/after” snapshots. Pass: expected entry/exit behavior; false entry rate ≤ X.
• Trigger hooks: define “freeze logs” on queue watermark / sync flip / repeated window-miss. Evidence: triggered trace with N-cycle context. Pass: every intermittent failure yields a classification within one capture.

• Metric definitions: unify denominators, time windows, and endpoints. Evidence: “one-pager metric spec.” Pass: station-to-station delta ≤ X.
• Distribution, not a single point: track P50/P95/P99 for latency and error counters across samples. Evidence: histograms. Pass: tails within X.
• Corner conditions: temperature + supply + reset sequences. Evidence: sync stability logs under corners. Pass: NORMAL entry ≤ X cycles; no slip bursts.
• Fleet black-box minimum: keep core counters, cycle ID, reason codes, and timestamps. Evidence: one capture classifies root domain (sync/schedule/host/gateway). Pass: field issue triage without reproducing in lab.

• MCU: Infineon SAK-TC397XX-256F300S-BD or Renesas R7F701318EAFP.
• Transceiver: NXP TJA1082TT.

• Vehicle network processor: NXP S32G399AABK1VUCT.
• Gateway MCU alternative: NXP MPC5748G.
• Transceiver: NXP TJA1082TT.

• MCU: Renesas R7F701318EAFP (RH850/P1M class) or Infineon TC397XX256F300SBDKXUMA2 (ordering example).
• Transceiver: NXP TJA1082TT.