CAN was chosen as the control and monitoring bus (refered to as system bus). CAN is a reliable and robust bus that has many years of heritage in automotive and industrial applications and is also qualified for space use. The bit rate of the bus is 1 Mbps. The specification for the CAN bus operation are for most parts taken from ECSS-E-ST-50-15C.


The CAN system bus has a nominal and redundant bus line (bus A and bus B).

The master node can talk to slaves and the slaves can talk to the master. The slaves DO NOT talk with each other. If data needs to be transferred from one slave to the other, this must be coordinated by and go through the master.

Can bus topology.png

It is composed of a single master (with node ID 0) and up to 127 slaves (with node ID 1 to 127). The node IDs are typically hard-coded in software and do not change during operation. Node IDs with lower value have higher priority in communication. That means, critical systems must be given lower IDs.

Frame Definition

Redundancy Management

The master node defines the bus to be considered active by periodic transmission of heartbeat messages on the active bus. The slave nodes monitor the presence of the heartbeat message from the master to determine the active bus.

SYNC Protocol

The master nodes can send a SYNC frame (CAN id = 0x080, no data) periodically (for example every 5 seconds). This can be used as the system reference pulse, upon which slave nodes synchronize their activities (for example, the collection of measurement data, sending of housekeeping data etc.).

Nodes use messages for exchange of commands (master to slave) and monitoring data (slave to master). A message can have a size of up to 4095 bytes. Messages of 7 bytes or less are sent in a single CAN frame. Larger messages are segmented into smaller chunks by the sending side and reassembled at the receiving side. For this, the ISO-TP protocol is used.