50.7.4.2.1 Fault Confinement
To distinguish between temporary and permanent failures, every CAN controller has two error counters: REC (Receive Error Counter) and TEC (Transmit Error Counter). The two counters are incremented upon detected errors and are decremented upon correct transmissions or receptions, respectively. Depending on the counter values, the state of the node changes: the initial state of the CAN controller is Error Active, meaning that the controller can send Error Active flags. The controller changes to the Error Passive state if there is an accumulation of errors. If the CAN controller fails or if there is an extreme accumulation of errors, there is a state transition to Bus Off.
An error active unit takes part in bus communication and sends an active error frame when the CAN controller detects an error.
An error passive unit cannot send an active error frame. It takes part in bus communication, but when an error is detected, a passive error frame is sent. Also, after a transmission, an error passive unit waits before initiating further transmission.
A bus off unit is not allowed to have any influence on the bus.
For fault confinement, two error counters (TEC and REC) are implemented. These counters are accessible via the Error Counter register (CAN_ECR). The state of the CAN controller is automatically updated according to these counter values. If the CAN controller enters the Error Active state, then the CAN_SR.ERRA bit is set. The corresponding interrupt is pending while the interrupt is not masked in the CAN_IMR. If the CAN controller enters Error Passive mode, then the CAN_SR.ERRP bit is set and an interrupt remains pending while the CAN_IMR.ERRP bit is set. If the CAN enters Bus Off mode, then the CAN_SR.BOFF bit is set. As for ERRP and ERRA, an interrupt is pending while the CAN_IMR.BOFF is set.
When one of the error counters values exceeds 96, an increased error rate is indicated to the controller through the WARN bit in CAN_SR, but the node remains error active. The corresponding interrupt is pending while the interrupt is set in CAN_IMR.
Refer to the Bosch CAN specification v2.0 for details on fault confinement.