Time-triggered architecture for safety-related distributed real-time systems in transportation systems.doc

published in proc. 28th annual international symposium on fault-tolerant computing, ftcs-28, ieee computer society press, pp.402-407, june 1998time-triggered architecture for safety-related distributed real-time systems in transportation systemsgnter heiner and thomas thurner, daimler-benz aggnter heinerco-ordinator tta projectdaimler-benz research and technologyalt-moabit 96a, d-10559 berlin, germanyphone:+49 30 39982-237, fax : -107e-mail:thomas thurnerco-ordinator x-by-wire projectdaimler-benz research and technologyd-70546 stuttgart, germanyphone:+49 711 17-20745, fax: -52004e-mail:abstractthis paper presents a novel computer architecture for fault-tolerant distributed embedded real-time systems, the time-triggered architecture, which is currently implemented and demonstrated in two european projects: safety-related fault-tolerant systems in vehicles (x-by-wire) and time-triggered architecture (tta). major european manufacturers in the automotive, aerospace and railway industries, suppliers, and universities are participating in these projects, both of which will be completed at the end of 1998. the objective of the projects is to achieve a framework for the introduction of ultra-dependable electronic systems in vehicles which do not rely on conventional physical backups. a common recommendation on the basic electronic and software architecture is elaborated, and key components are implemented as prototypes, particularly a vlsi-implemented communication controller utilising a time-triggered protocol. the project results will be evaluated for typical industrial applications from the participating sectors.1introduction there is a trend in the automobile industry for an increasing number of safety-related electronic systems in vehicles that are directly responsible for active and passive vehicle safety. these applications will increase overall vehicle safety by liberating the driver from routine tasks and assisting the driver to find solutions in critical situations. the realisation of such driver assistance systems requires direct electronic control of the steering, braking, suspension and powertrain actuators, dependent on the current driving conditions and environmental influences. it is expected that the biggest potential lies in the replacement of (hydro-) mechanical backup systems by distributed fault-tolerant mechatronic systems (in the following called by-wire systems). as a consequence there is a need for a standardised dependable, and cost-effective electronic realisation for mass production. in order to fulfil the vehicle requirements, new electronic architectures have to be developed or adapted. therefore, two consortia funded by the european commission have been established to investigate this topic: the brite-euram x-by-wire project dil97, dil98 and the esprit-omi tta sch97 project. one of the most promising approaches for such an architecture will be described in this paper. this paper is organised as follows: section 2 describes the automotive requirements, section 3 gives an overview of the general time-triggered architecture, including the important key issues. in section 4 the joint research projects x-by-wire and tta are presented. first results and experiences are outlined in section 5.2automotive requirementsa visionary steer-by-wire system without conventional backup is regarded as the most demanding challenge. it is obvious, that an architecture which fulfils the requirements of such an application is able to meet most of the requirements for other by-wire applications. since all requirements for such a system cannot be listed in this paper, the following summary shall give an impression from the producer and user point of view: steering must be possible at standstill and as long as the vehicle keeps moving. without the engine running, steering must be available for at least 5 minutes steering time. a single failure of one component within the steering system must not lead to a fault of the whole steering system but to a reduced functionality, if there is no safety risk. resolution of the steering wheel angle: 0.1-1. accuracy: approx. or less than 1. dynamics for the steered wheels: 40/s. consequence: closed control loops less than 2ms. taking the vehicle dynamics into account, the transient outage-time of the steering system can be estimated: less than 50ms. this time is crucial for the design of recovery mechanisms. a behaviour similar to existing mechanical solutions is required the driver expects representative feedback of steering traction and lock positions. at least the same reliability, availability, maintainability, and serviceability of todays steering systems are required. a cost-effective and modular solution is required in order to get a good manufacturability. 3general electronic architecture3.1time-triggered approachan electronic control system is real-time capable if it is able to sample a set of well defined input values and to provide a correct output value in a predefined time-interval kop97. for safety-related by-wire real-time systems the guaranteed correctness both in the value and time domain is therefore of vital importance. the fulfilment of this tough requirement together with cost-effectiveness and the keep it simple as possible safety principle consequently leads to a time-triggered architecture. time-triggered means that actions concerning input sampling, computing and provision of results are executed at predefined points in time. an exact time schedule is then always guaranteed, the needed system bandwidth is limited at any point of time, and a system overload is impossible.3.2fail-silence property of the subsystems / componentsthe correct value at the correct time! this requirement is valid if the system is free of errors. but from the components point of view, the question has to be solved how to handle transient or permanent errors which would cause a violation of the correct value at the correct time. in this case the subsystem has to be fail-silent. a silent subsystem does not interfere with the other system parts. this means, that the subsystem has to detect all errors in the time and value domain and has immediately to switch into a passive state from the outside point of view. the big advantage of this concept is that all kinds of transient and permanent errors are encapsulated in the faulty component. all errors only have to be detected and converted into a self-disabling of the component. distribution of errors in the whole system is therefore not possible, and system-wide complex error handling strategies are not necessary.in safety-related applications the system must fulfil the predefined functionality even in the presence of faults. this leads to a fail-operational behaviour, which must be guaranteed up to a predefined number of failures. such a real-time requirement can be achieved only by introducing active redundancy. in this case, a fault-tolerant unit tolerating a single node fault can be formed by a pair of two fail-silent nodes, which are completely physically separated.3.3communication subsystema key element in distributed real-time systems which will allow even distributed replicas is the communication subsystem which has to guarantee the information exchange between the (fail-silent) components. it has to provide a highly reliable and deterministic access and data transfer and has to fulfil at least the following primary requirements: support of composability: no side-effects at system integration kop98. periodic information transfer: support of regularity inherent to control applications. minimal message latency jitter: highly important for the quality of closed control loops. fast error detection in time and value domain: bus guardian assuring the fail-silence assumption . fault-tolerance: support of replicated and physically separated nodes. global clock synchronisation: basis for the replica determinism, needed for active redundancy. multicast transmission / acknowledgement: for global data consistency reasons.robustness: the communication system has to support a redundant physical transmission.one of the most promising approaches which meets both the above mentioned technical requirements as well as the application requirements is the time-triggered protocol ttp/c kop97, where c stands for sae class c.figure 1:the ttp databus system.the communication network topology is a broadcast bus. bus access is granted to the nodes under the control of a static tdma scheme, pre-allocated at the system design time and stored locally within each node. to achieve an orderly access to the bus, the nodes maintain a globally synchronised time base which is an integral operation of ttp. for fault-tolerance reasons a dual channel system is provided. the architecture allows the integration of ecus as well as intelligent fail-silent (smart) sensors/actuators via the ttp communication subsystem.3.4system fault-toleranceas stated above, the system architecture has to support active redundancy. active replication of components assumes that there is some kind of agreement between the replicas. at certain points, the replicated components must ensure the same decision at the same time pol96. this problem (replica determinism) can be solved with an agreement protocol using either the real-time bus or a separate cross-coupling link (particularly in the case of fault-tolerant smart sensors). illustrating a possible steer-by-wire application, figure 2 gives a realisation example. in this hypothetical framework, actuators are devices able to independently generate force or torque. moreover, actuators and sensors are considered fail-silent and non blocking. figure 2:realisation of a possible future steer-by-wire application without conventional physical backup.3.5systems and software engineering environmentin order to deploy the time-triggered approach in the most effective way, the architecture must be accompanied by tools for application programming support, focusing on the design, monitoring, and visualisation of time-triggered applications. concerning design, special emphasis has to be put on the design of the software interfaces between the system manufacturer and the component suppliers. the software architecture is based on a hierarchy with the system software (ssw) as the lower level and the application software as the higher level. the most important ssw services are support for fail-silence and fault-tolerance and support for the handling of hard real-time requirements. an ansi c subset mis97 has been recommended which can be enforced in several ways of different strictness, e.g. by using a specific coding guideline or by using a specific analysis tool or pre-processor.the global design consists of all steps associated with the overall system architecture and is done by the system manufacturer. it includes the system partitioning, the definition of the replication scheme, and the specification of communication relations and bus schedule. the suppliers then proceed with their application design locally and independently from each other and from the system manufacturer. the local design contains all steps associated with the specification, implementation and test of a single component. after finishing all local design phases, the complete system is integrated by the system manufacturer. during run-time in the development and operational phase, the system behaviour can be traced by a monitoring system. global monitoring is based on bus tracing and allows observation of the system behaviour without intrusion. the inner state of components like task states, variable values, etc. can be observed via local monitoring. the objective of visualisation is to provide a better understanding of the behaviour of a time-triggered application. the visualisation is based on the data gathered by the monitoring systems.4joint research projects4.1safety related fault-tolerant systems in vehicles (x-by-wire)because of the very large expected expenditures and advance outlays, no single vehicle manufacturer has up to now introduced really fault-tolerant safety-related by-wire systems without mechanical backup. the main problem is not the availability of solutions for fault-tolerant systems, but their applicability to the special constraints of the vehicle industry such as low-cost mass production and easy maintenance. as a result, the x-by-wire consortium has been established to come up with solutions which satisfy the special needs of the vehicle industry dil97, dil98. it consists of the vehicle manufacturers daimler-benz (co-ordinator), centro ricerche fiat, ford europe and volvo, the supplier companies robert bosch, mecel and magneti marelli, and the university of chalmers and the vienna university of technology.an architecture capable to meet the special constraints of mass production has been proposed and will be demonstrated in a laboratory steer-by-wire prototype. the x-by-wire approach uses a distributed time-triggered architecture, the demonstration is based on ttp/c. general recommendations for standardisation of by-wire architectural subsystems (e.g. ttp/c) are planned by submitting drafts to standardisation bodies (iso, sae, .).4.2time-triggered architecture (tta)concurrently and in close co-operation with the x-by-wire project the esprit-omi project time-triggered architecture (tta) will demonstrate that the time-triggered architecture can be effectively deployed in safety-critical transportation systems sch97.therefore, a consortium has teamed up that consists of daimler-benz (co-ordinator), alcatel austria, and british aerospace airbus as manufacturers of transportation systems in the automotive, railway, and aerospace sector, the supplier companies temic, ams and genias, the vienna university of technology, and the universities of ulm and york.within the framework of the tta project key components of the time-triggered architecture are implemented as prototypes: a major component is the communication controller for the time-triggered protocol (ttp), implemented as a single chip controller. this vlsi component will be accompanied by tools for design, application programming support, and safety analysis. to prove the approach, the project will provide an evaluation of the architecture and the accompanying systems and safety engineering environment for three typical industrial applications, one from each of the three participating sectors (automotive, aerospace, railway). 5first results and experienceswithin both projects, requirements for visionary by-wire systems in the automotive, the railway, and aircraft industry were collected and investigated. since the time-triggered architecture as described above is considered as the most promising approach which covers the requirements, it has been adopted for a design of the respective systems.according to the requirements collections, the ttp/c specification has been adopted and implemented into a ttp emulation board, which was a common background development between daimler-benz and the university of vienna.vehicle demonstratorsthe purpose of the demonstrators is to show the continued service of the application even in the presence of multiple failures. they are based on ttp/c and mainly on commercial-off-the-shelf (cots) components (actuators, sensors, etc.). the x-by-wire demonstrator is a steer-by-wire laboratory prototype (see fig. 2). because of the distributed development of the components between the different partners locations, it is a good example for the fulfilment of the composability requirement which is considered as one of the most important aspects.the tta demonstrator is a brake-by-wire prototype in a laboratory environment. the dynamic behaviour of a mercedes-benz passenger car on a road is simulated in real-time. the simulator interprets actuator commands of the brake-by-wire system, computes their effects to the vehicle and delivers the appropriate sensor signals. an on-line visualisation component dynamically shows the reactions of the vehicle to the applied control commands.railway demonstratorfor the railway demonstrator, the interlocking system elektra kan95, developed by alcatel austria, was chosen, which connects the railway station periphery to the central control. the elektras online safety concept is based on the use of two independent diverse hardware/software channels, e.g. an interlocking channel and a safety-bag channel. to fulfil the availability requirements, each channel architecture is composed of replicated subsystems. a time-triggered architecture for the connection of the railway periphery, e.g signals and switches, to the elektra channels has been designed and implemented on a ttp/c base. systems engineering environment within the tta project, a systems engineering environment according to the requirements was specified and a first release has been implemented. the environment consists of a specification tool for the hardware configuration of a ttp cluster, of a scheduling editor used to edit the bus schedules, of a translator which reads the bus schedules and generates the controller-specific data structures, and of a project database which serves as the central data repository for all tool components.6conclusionthe business impact of this new architecture is impressive: once standardised for the automotive market, it can be expected that system modules of the required functionality and dependability will be available for a very competitive price. many other industrial sectors, e.g. train control, aircraft industry, industrial process contro