Search Results

The next generation of cars will consist of a high number of networked electronic control units (ECUs) and significantly more complex software modules and control applications than today's models. Besides applications like engine control, air condition control and anti-theft systems, which are already available in today's cars, the first steps towards the introduction of safety-relevant steer-by-wire and brake-by-wire systems will be undertaken. Additionally, the demand for in-car entertainment and information systems (e.g. Internet terminals, video-streaming applications) will also increase. Since all these systems have conflicting requirements to the underlying network protocol (latency, predictability, throughput…), the straight-forward way would be to use autonomous busses and networks for every kind of distributed system within the car body (ultra-available safety-relevant systems, non-safety-relevant control systems, entertainment and media systems).

The Time-Triggered Architecture (TTA) is a distributed architecture for high-dependability real-time systems such as break-by-wire or steer-by-wire systems. This paper is devoted to the fault-tolerance and fault-handling capabilities of the TTA. We will present the architectural and algorithmic features of the time-triggered communication protocol TTP/C that allow isolation of arbitrary failures of a node-computer in the distributed system. Having node failures isolated, the introduction of redundant nodes accompanied by voting services located in a generic fault-tolerance layer makes the architecture tolerant to Byzantine failures of node-computers. We will also present the mechanisms that detect multiple failure scenarios at the communication system level and provide means for rapid handling of and deterministic recovery from such situations.

The paper presents a communication architecture for distributed embedded computer systems that require to transmit safety-critical real-time data - which must not be delayed - on the same bus as non-critical data. Such non-critical data can come from sources like sensors and event-based traffic, typically for on-demand diagnosis. This architecture utilizes the communication protocols TTP/C and TTP/A, and a software layer in the distributed nodes, to provide a fault-tolerant platform for reliable yet flexible communication over a multiplex bus.

TTP/A is the fieldbus protocol of the Time Triggered Architecture (TTA). It provides periodic transmission of real-time data and allows for on-line configuration, diagnostics, and maintenance by use of an interface file system. It is well integrated with the TTP/C protocol and is designed to meet the requirements of a low-cost sensor/actuator bus. TTP/A is a master-slave protocol where the master establishes a common time base within a TTP/A cluster. Since the master establishes the time base prior to the communication of slaves, the protocol can be implemented with low-cost on-chip RC oscillators for the slaves. Using a standard UART-based serial interface as physical layer, the slave TTP/A protocol can be implemented in very low cost Commercial Off-The-Shelf (COTS) hardware.

The Time-Triggered Architecture (TTA) is a technology that is especially well suited for the design and implementation of ‘by-wire’ systems with demanding real-time and safety requirements. Design and prototyping require thorough planning. New hardware and software support simulation and prototyping of distributed real-time systems, easing the implementation of by-wire applications. Integrated tools support the whole design process from system setup to simulation and application programming. The paper describes a by-wire prototype design process based on the TTA and a currently available development environment.

The Time-Triggered Architecture (TTA) and its software development environment for the Time-Triggered Protocol (TTP) provide a framework which allows the efficient development of distributed embedded applications. Separate development of system architecture and subsystems design, strict control of key system interfaces and separation of functional/logical from temporal behavior facilitate the reuse and seamless integration of electronic subsystems provided by different suppliers. TTA is an integrated platform solution which allows modular application development and certification up to the highest criticality classes with reuse of components. TTA principles improve the ability of system designers to significantly reduce system integration effort and obsolescence management costs. The time-triggered communication protocol TTP provides high performance and fault tolerance for the data transfer between distributed applications.

Electronically controlled safety-critical functions are becoming more and more prevalent in the off-highway industry (construction, agricultural or forestry machinery etc). Failures of such safety-critical functions may cause serious injury or death to people. Therefore, product safety and liability are becoming increasingly important for all OEMs in this industry. Currently, IEC 61508 [1] is considered the state-of-the-art standard for the development of safety-critical systems. Safety integrity levels (SIL) 2 and 3 are the most common levels required by off-highway applications. This paper shows a scalable architecture with a single ECU type that allows fulfilling both SIL2 and SIL3 requirements: A 1oo1D architecture (single ECU) will be used for systems with SIL2 requirements, a 1oo2D architecture for SIL3 requirements. In the 1oo2D variant two redundant ECUs exchange data over a time-triggered protocol.

The increasing complexity of distributed embedded systems, as found today in airplanes or cars, becomes more and more a critical cost-factor for their development. Model-based approaches have recently demonstrated their potential for both improving and accelerating (software) development processes. Therefore, in the project DECOS1, which aims at improving system architectures and development of distributed safety-critical embedded systems, an integrated, model-driven tool-chain is established, accompanying the system development process from design to deployment. This paper gives an overview of this tool-chain and outlines important design decisions and features.

Development and verification of systems for internal aircraft networks include multiple software layers. These layers are mainly the application-specific components, communication layers, redundancy management and other system services. Verification of these system layers in the early stages of the design process, before a physical network is available, and during the design process has become a critical need in order to reduce design costs and project risks. Time-Triggered Architectures (TTA) and SCADE are both well-established technologies and tools for building safety-critical embedded systems. Both are based on the synchronous paradigm; TTA for the communication infrastructure and distributed embedded computing, and SCADE for simulating and generating code for the application components.

This paper presents a novel communication architecture denoted as time-triggered (TT) Ethernet that integrates real-time and non-real-time traffic into a single communication architecture. TT Ethernet supports applications of different levels of criticality, from simple data acquisition systems, to multimedia systems up to the most demanding fault-tolerant real-time control systems. The event triggered traffic in TT Ethernet is handled in conformance with the existing Ethernet standards of the IEEE. The architecture deploys a TT Ethernet switch, which distinguishes between event-triggered (ET) and time-triggered (TT) Ethernet traffic. Time-triggered traffic is transmitted with a predictable transmission delay, whereas event-triggered traffic is transmitted on a best-effort basis. The paper elaborates on the usage of TT Ethernet for in-vehicle communication in order to integrate different in-vehicle communication subsystems into a single communication architecture.

The Time-Triggered Architecture (TTA) provides many state-of-the-art mechanisms to guarantee fault tolerance and highest system availability, in part due to the use of a fault-tolerant communication protocol. However, some failure modes are known that cannot be tolerated by a fault-tolerant communication protocol alone and that can threaten the availability of distributed systems. The possibility of these failure modes occurring in safety critical applications like steer-by-wire or brake-by-wire without mechanical backup is not acceptable. A dedicated device can be used to transform arbitrary node failures to failure modes tolerated by the Time-Triggered Protocol (TTP), eliminating failures that can lead to a loss of communication and thus to a loss of availability of the distributed system.

VPX, as a switched fabric, supports the design of advanced integrated systems using technologies such as deterministic Ethernet. Deterministic Ethernet can be used in backplane and backbone applications. In cases where functional interrelationships and Ethernet network bandwidth sharing is deterministic and all logical links among critical function have configurable quality of service with guaranteed timing, the complexity challenges in design of advanced integrated architectures can be much simpler to handle and mitigate. VPX switches in 3/6U format with ARINC664 and SAE AS6802 services enable deterministic integration of many critical functions hosted on common embedded computing and networking resources. Both ARINC664 (asynchronous real-time) and SAE AS6802 (synchronous hard real-time), as Layer 2 enhancements, do not affect existing Ethernet services.

Integrated modular architectures and IMA reduce the physical complexity of electronic architecture by integrating many functions on common embedded resources. As the reduction of physical complexity means that the embedded resources are shared by many functions, the logical complexity of system configuration, functional alignment and resource sharing increases significantly. Modern integrated embedded platforms are designed for parameter-based architecture design and integration. IMA is not only a set of platform components, networking and computing devices and configurable middleware and platform abstraction layers. Integrated Architectures and IMA require mature design and verification tools, and a well-defined design and integration methodology are required to avoid expensive and error-prone manual analyses and configuration tasks. Therefore, integrated architectures cannot be separated from design methodologies and processes.