Results 1 - 10
of
27
The Time-Triggered Architecture
- PROCEEDINGS OF THE IEEE
, 2003
"... The time-triggered architecture (TTA) provides a computing infrastructure for the design and implementation of dependable distributed embedded systems. A large real-time application is decomposed into nearly autonomous clusters and nodes, and a fault-tolerant global time base of known precision is g ..."
Abstract
-
Cited by 269 (10 self)
- Add to MetaCart
The time-triggered architecture (TTA) provides a computing infrastructure for the design and implementation of dependable distributed embedded systems. A large real-time application is decomposed into nearly autonomous clusters and nodes, and a fault-tolerant global time base of known precision is generated at every node. In the TTA, this global time is used to precisely specify the interfaces among the nodes, to simplify the communication and agreement protocols, to perform prompt error detection, and to guarantee the timeliness of real-time applications. The TTA supports a two-phased design methodology, architecture design, and component design. During the architecture design phase, the interactions among the distributed components and the interfaces of the components are fully specified in the value domain and in the temporal domain. In the succeeding component implementation phase, the components are built, taking these interface specifications as constraints. This two-phased design methodology is a prerequisite for the composability of applications implemented in the TTA and for the reuse of prevalidated components within the TTA. This paper presents the architecture model of the TTA, explains the design rationale, discusses the time-triggered communication protocols TTP/C and TTP/A, and illustrates how transparent fault tolerance can be implemented in the TTA.
A Comparison of Bus Architectures for Safety-Critical Embedded Systems
, 2001
"... Abstract. Embedded systems for safety-critical applications often integrate multiple “functions ” and must generally be fault-tolerant. These requirements lead to a need for mechanisms and services that provide protection against fault propagation and ease the construction of distributed fault-toler ..."
Abstract
-
Cited by 121 (5 self)
- Add to MetaCart
Abstract. Embedded systems for safety-critical applications often integrate multiple “functions ” and must generally be fault-tolerant. These requirements lead to a need for mechanisms and services that provide protection against fault propagation and ease the construction of distributed fault-tolerant applications. A number of bus architectures have been developed to satisfy this need. This paper reviews the requirements on these architectures, the mechanisms employed, and the services provided. Four representative architectures (SAFEbus TM, SPIDER, TTA, and FlexRay) are briefly described. 1
Formal Verification for Time-Triggered Clock Synchronization
, 1999
"... Distributed dependable real-time systems crucially depend on faulttolerant clock synchronization. This paper reports on the formal analysis of the clock synchronization service provided as an integral feature by the Time-Triggered Protocol (TTP), a communication protocol particularly suitable for sa ..."
Abstract
-
Cited by 20 (1 self)
- Add to MetaCart
Distributed dependable real-time systems crucially depend on faulttolerant clock synchronization. This paper reports on the formal analysis of the clock synchronization service provided as an integral feature by the Time-Triggered Protocol (TTP), a communication protocol particularly suitable for safety-critical control applications, such as in automotive “by-wire ” systems. We describe the formal model extracted from the TTP specification and its formal verification, using the PVS system. Verification of the central clock synchronization properties is achieved by linking the TTP model of the synchronization algorithm to a generic derivation of the properties from abstract assumptions, essentially establishing the TTP algorithm as a concrete instance of the generic one by verifying that it satisfies the abstract assumptions. We also show how the TTP algorithm provides the clock synchronization that is required by a previously proposed general framework for verifying time-triggered algorithms.
Virtual Networks in an Integrated Time-Triggered Architecture
- In Proceedings of the Tenth IEEE International Workshop on Object-oriented Real-time Dependable Systems (WORDS2005
, 2005
"... Depending on the physical structuring of large distributed safety-critical real-time systems, one can distinguish federated and integrated system architectures. This paper investigates the communication services of an integrated system architecture, which combines the complexity management advantage ..."
Abstract
-
Cited by 20 (11 self)
- Add to MetaCart
(Show Context)
Depending on the physical structuring of large distributed safety-critical real-time systems, one can distinguish federated and integrated system architectures. This paper investigates the communication services of an integrated system architecture, which combines the complexity management advantages of federated systems with the functional integration and hardware benefits of an integrated approach. A major challenge is the need to accommodate the communication services to the different types of integrated application subsystems that range from ultradependable control applications (e.g., an x-by-wire system) to non safety-critical applications such as multimedia or comfort systems. In particular, the encapsulation of the communication activities of different application subsystems is required not only to prevent error propagation from non safety-critical application subsystems to higher levels of criticality, but also to facilitate complexity management and permit independent development activities.
Increasing System Safety for by-wire Applications in Vehicles by using a Time Triggered Architecture
- Proc. SAFECOMP, 17 th Int. Conf. on Computer Safety, Reliability and Security
, 1998
"... Abstract. By-wire systems have been established for several years in the area of aircraft construction and there are now approaches to utilize this technology in vehicles. The required electronic systems must evidently be available and safe. In the same time the requirements of mass production have ..."
Abstract
-
Cited by 10 (0 self)
- Add to MetaCart
Abstract. By-wire systems have been established for several years in the area of aircraft construction and there are now approaches to utilize this technology in vehicles. The required electronic systems must evidently be available and safe. In the same time the requirements of mass production have to be reached (long life time, long maintainability intervals, low costs, fulfillment of standards). This paper addresses a new automotive architecture approach-based on a time triggered architecture- and a framework for the application design of future by-wire systems in vehicles.
A Transient-Resilient System-on-a-Chip Architecture with Support for On-Chip and Off-Chip TMR
, 2008
"... The ongoing technological advances in the semiconductor industry make Multi-Processor System-on-a-Chips (MPSoCs) more attractive, because uniprocessor solutions do not scale satisfactorily with increasing transistor counts. In conjunction with the increasing rates of transient faults in logic and m ..."
Abstract
-
Cited by 6 (1 self)
- Add to MetaCart
The ongoing technological advances in the semiconductor industry make Multi-Processor System-on-a-Chips (MPSoCs) more attractive, because uniprocessor solutions do not scale satisfactorily with increasing transistor counts. In conjunction with the increasing rates of transient faults in logic and memory associated with the continuous reduction of feature sizes, this situation creates the need for novel MP-SoC architectures. This paper introduces such an architecture, which supports the integration of multiple, heterogeneous IP cores that are interconnected by a time-triggered Network-on-a-Chip (NoC). Through its inherent fault isolation and determinism, the proposed MPSoC provides the basis for fault tolerance using Triple Modular Redundancy (TMR). On-chip TMR improves the reliability of a MPSoC, e.g., by tolerating a transient fault in one of three replicated IP cores. Off-chip TMR with three MPSoCs can be used in the development of ultra-dependable applications (e.g., X-by-wire), where the reliability requirements exceed the reliability that is achievable using a single MPSoC. The paper quantifies the reliability benefits of the proposed MP-SoC architecture by means of reliability modeling. These results demonstrate that the combination of on-chip and offchip TMR contributes towards building more dependable distributed embedded real-time systems.
The Alamblak language of
, 1984
"... Title and subtitle Distributed Brake-By-Wire based on TTP/C. (Distribuerat Brake-By-Wire system baserat på TTP/C). Brake-By-Wire means that the hydraulic-mechanical brake system in a car is partly or completely replaced with an electronic/electromechanical brake system. Brake-By-Wire systems are saf ..."
Abstract
-
Cited by 6 (0 self)
- Add to MetaCart
(Show Context)
Title and subtitle Distributed Brake-By-Wire based on TTP/C. (Distribuerat Brake-By-Wire system baserat på TTP/C). Brake-By-Wire means that the hydraulic-mechanical brake system in a car is partly or completely replaced with an electronic/electromechanical brake system. Brake-By-Wire systems are safety critical. A Brake-By-Wire system must also be fault tolerant and have a dependable real-time performance. One communication protocol that is developed to meet these requirements is called TTP/C (Time Triggered Protocol, class C). It is a protocol where all operations are initiated and scheduled in advance. In this Master’s thesis, I have put a TTP/C system into operation and developed a simple, fault tolerant Brake-By-Wire system. The work is concentrating on the fault tolerant and the fault detection aspects. Also the TTP/C concept with its software development environment has been evaluated. Using TTP/C as effectively as possible requires that the developer has planned the implementation of the system carefully. The work with the TTP/C software development tools will be made easier the more that is known in advance about the system. A more detailed documentation than presently available of how to use the TTP/C tools would also facilitate the work. Keywords Classification system and/or index terms (if any) Supplementary bibliographical information ISSN and key title
A Maintenance-Oriented Fault Model for the DECOS Integrated Diagnostic Architecture
, 2005
"... The increasing use of electronics in the automotive and avionic domain has lead to dramatic improvements with respect to functionality, safety, and cost. However, with this growth of electronics the likelihood of failures due to faults originating from electronic equipment also increases. In order t ..."
Abstract
-
Cited by 5 (2 self)
- Add to MetaCart
The increasing use of electronics in the automotive and avionic domain has lead to dramatic improvements with respect to functionality, safety, and cost. However, with this growth of electronics the likelihood of failures due to faults originating from electronic equipment also increases. In order to tackle prevalent diagnostic problems such as the reduction of the fault-not-found ratio, a maintenance-oriented fault model is needed that serves as the basis for the classification of experienced failures.
Coverage and the Use of Cyclic Redundancy Codes in Ultra-Dependable Systems
- Proc. of the IEEE International Conference on Dependable Systems and Networks (DSN
, 2005
"... A Cyclic Redundancy Code (CRC), when used properly, can be an effective and relatively inexpensive method to detect data corruption across communication channels. However, some systems use CRCs in ways that violate common assumptions made in analyzing CRC effectiveness, resulting in an overly optimi ..."
Abstract
-
Cited by 5 (0 self)
- Add to MetaCart
(Show Context)
A Cyclic Redundancy Code (CRC), when used properly, can be an effective and relatively inexpensive method to detect data corruption across communication channels. However, some systems use CRCs in ways that violate common assumptions made in analyzing CRC effectiveness, resulting in an overly optimistic prediction of system dependability. CRCs detect errors with some finite probability, which depends on factors including the strength of the particular code used, the bit-error rate, and the message length being checked. Common assumptions also include a passive network inter-stage, explicit data words, memoryless channels, and random independent symbol errors. In this paper we identify some examples of CRC usage that compromise ultra-dependable system design goals, and recommend alternate ways to improve system dependability via architectural approaches rather than error detection coding approaches. 1.
A Comparison of TTP/C and FlexRay
, 2001
"... Abstract: With the announcement of BMW and DaimlerChrysler to develop the new time-triggered protocol FlexRay for safety critical “X-by-Wire ” applications, the time-triggered technology is moving into the mainstream of the automotive electronics market. This paper compares the established protocol ..."
Abstract
-
Cited by 5 (0 self)
- Add to MetaCart
(Show Context)
Abstract: With the announcement of BMW and DaimlerChrysler to develop the new time-triggered protocol FlexRay for safety critical “X-by-Wire ” applications, the time-triggered technology is moving into the mainstream of the automotive electronics market. This paper compares the established protocol TTP/C with the new protocol FlexRay from BMW and DaimlerChrysler. This comparison is based on the sparse information about FlexRay that is currently in the public domain and is therefore subject to revisions as a more detailed specification becomes available. This paper identifies five failure scenarios that have the potential for a single node failure to result in a system-wide safety-relevant incident. It discusses how TTP/C controls these scenarios, but cannot answer the question how FlexRay handles these failures, because the information about FlexRay that is in the public domain does not address these safety relevant issues. The comparison comes to the conclusion that FlexRay and TTP/C were designed against the same set of automotive requirements, but that there is a difference in goals: The inherent conflict between flexibility and safety is tilted towards flexibility in FlexRay and safety in TTP/C. Keywords: TTP/C, FlexRay, real-time systems, safety critical systems, Time-triggered communication.
