Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO 26021-2: Road Vehicles — End-of-Life Activation — Part 2: Communication Requirements
Data Link Protocol and Message Structure for Activating Pyrotechnic Devices via Vehicle Diagnostic Buses
1. Communication Architecture and Protocol Stack
ISO 26021-2 defines the communication requirements between the end-of-life activation tool and the vehicle’s pyrotechnic control units. The standard specifies a layered protocol architecture that operates over the vehicle’s existing diagnostic bus — typically the Controller Area Network (CAN) bus per ISO 11898, or the legacy Keyword Protocol 2000 (KWP2000) per ISO 14230 for older vehicles. The protocol is designed to operate within the existing vehicle diagnostic session framework defined by ISO 14229 (UDS — Unified Diagnostic Services).
The ISO 26021-2 communication protocol does not define a new physical layer. Instead, it specifies application-layer messages and session management rules that run on top of existing diagnostic transport protocols. This design decision minimizes implementation complexity and ensures compatibility with existing vehicle diagnostic infrastructure.
The protocol stack comprises four layers: the physical layer (CAN or K-line), the data link layer (ISO 11898-1 or ISO 14230-1), the transport layer (ISO 15765-2 for CAN or ISO 14230-2 for KWP2000), and the application layer defined by ISO 26021-2. The application layer defines service identifiers (SIDs) and data identifiers (DIDs) specific to pyrotechnic device activation, distinct from standard UDS diagnostic services used for emissions and powertrain diagnostics.
| Layer | Standard | Function |
|---|---|---|
| Physical | ISO 11898-2 (CAN high-speed) or ISO 9141 (K-line) | Electrical signal levels, bus termination, connector pinout |
| Data Link | ISO 11898-1 (CAN) or ISO 14230-1 (KWP2000) | Frame formatting, arbitration, error detection, retransmission |
| Transport | ISO 15765-2 (CAN) or ISO 14230-2 (KWP2000) | Segmentation, reassembly, flow control for multi-frame messages |
| Application | ISO 26021-2 | Activation service requests, device status queries, session management |
| Pyrotechnic Session | ISO 26021-2 (Session 0x07) | Extended diagnostic session with elevated security access for deployment |
The communication protocol enforces strict session state management. Activation commands are only accepted when the diagnostic tool has successfully established an extended diagnostic session (session 0x07) AND completed security access (seed-key authentication per ISO 14229-1). Any deviation — a session timeout, security access failure, or invalid message sequencing — immediately locks out activation and requires session re-establishment.
2. Message Structures and Activation Sequence
ISO 26021-2 defines specific message formats for three categories of communication: (1) system information queries — retrieving the pyrotechnic device inventory, squib resistances, and vehicle-specific deployment parameters; (2) activation commands — triggering deployment of individual devices or device groups; and (3) status reporting — confirming deployment success, logging fault codes, and reporting system self-test results.
The activation command is structured as a UDS routine control service (0x31) with a dedicated routine identifier (RID) assigned to pyrotechnic activation. The command carries parameters specifying which devices to activate and in what sequence. The vehicle responds with a preliminary status indicating whether the activation request was accepted, pending verification checks, or rejected with a diagnostic trouble code (DTC) explaining the reason. After successful activation, the vehicle reports deployment results for each addressed device.
A key engineering feature of ISO 26021-2 is the “dry run” or “simulation mode” capability. The activation tool can issue a query-only command that returns the expected activation results without actually deploying any pyrotechnic charges. This mode is invaluable for training, system validation, and pre-activation troubleshooting without the cost, noise, and hazard of actual deployment.
3. Security and Authentication Requirements
Safety-critical communication demands robust security mechanisms. ISO 26021-2 requires a two-factor authentication process before any activation command is accepted. The first factor is session-level security access using the seed-key algorithm from ISO 14229-1, where the tool requests a random seed from the vehicle, computes the expected key using a manufacturer-specific algorithm, and transmits it back for verification. The second factor is a message-level signature that must be appended to each activation command to prevent replay attacks.
The message signature uses a rolling counter and CRC-32 checksum over the entire activation command message, including the counter value. The vehicle maintains its own counter and rejects any command where the counter value does not match the expected sequence. This mechanism prevents an attacker from recording and replaying a valid activation command captured from a different vehicle or a previous activation session. The standard also specifies minimum timing delays between successive activation commands to prevent thermal overload of the pyrotechnic control unit’s firing circuits.
The security mechanisms in ISO 26021-2 are not optional — they are mandatory requirements. Implementing a pyrotechnic activation system that omits or weakens these security controls creates a direct safety hazard, as unauthorized activation of pyrotechnic devices could cause serious injury or death. System integrators must verify that their tools and vehicle-side implementations correctly enforce all specified security checks.
FAQs
Q1: Can ISO 26021-2 communication operate over CAN FD (Flexible Data-Rate)?
ISO 26021-2 was originally specified for classical CAN (11-bit and 29-bit identifiers). However, CAN FD compatibility has been achieved in practice by mapping the application-layer messages unchanged onto CAN FD frames. The standard is expected to formally adopt CAN FD in a future amendment.
ISO 26021-2 was originally specified for classical CAN (11-bit and 29-bit identifiers). However, CAN FD compatibility has been achieved in practice by mapping the application-layer messages unchanged onto CAN FD frames. The standard is expected to formally adopt CAN FD in a future amendment.
Q2: What happens if the communication link is interrupted during activation?
If the transport layer detects a timeout (no response within the P2 timeout window, typically 50 ms), the activation tool must abort and re-establish the diagnostic session. The vehicle-side implementation must terminate any in-progress activation sequence upon loss of session integrity.
If the transport layer detects a timeout (no response within the P2 timeout window, typically 50 ms), the activation tool must abort and re-establish the diagnostic session. The vehicle-side implementation must terminate any in-progress activation sequence upon loss of session integrity.
Q3: How does the protocol handle multiple pyrotechnic control units?
Each PCU has a unique CAN identifier (11-bit or 29-bit). The activation tool communicates with each PCU individually using addressed diagnostic requests. The ECU addressing scheme follows ISO 15765-4 (emissions-related) conventions for physical and functional addressing.
Each PCU has a unique CAN identifier (11-bit or 29-bit). The activation tool communicates with each PCU individually using addressed diagnostic requests. The ECU addressing scheme follows ISO 15765-4 (emissions-related) conventions for physical and functional addressing.
Q4: Are the security algorithms standardized or manufacturer-specific?
The seed-key algorithm itself is manufacturer-specific and is not published in ISO 26021-2. The standard only defines the mechanism for seed transmission and key response. Each vehicle manufacturer develops and protects their own algorithm as intellectual property. Activation tool developers must obtain these algorithms through licensing agreements with manufacturers.
The seed-key algorithm itself is manufacturer-specific and is not published in ISO 26021-2. The standard only defines the mechanism for seed transmission and key response. Each vehicle manufacturer develops and protects their own algorithm as intellectual property. Activation tool developers must obtain these algorithms through licensing agreements with manufacturers.
