Time-Triggered Embedded Systems

Author: Dawid TrawczynskiProject Mentor: Dr. Janusz Zalewski

Outline• Introduction• Embedded System Dependability• Main Components• Event-Triggered and Time-Triggered Systems• Time-Triggered Medium Access Control Properties• Protocol Examples• TTP Essentials• Development Tools• Summary

IntroductionEmbedded system: a special-purpose computer

designed to perform one or few dedicated functions, often with real-time computing constraints [3]

Real-time adjective: bounded response time [4]

Examples• Car Anti-Lock Braking System• Avionics Pressure Cabin Control• Mirowave Oven RF Controller• Train Inter-Lock System• GSM Subscriber Base Station• Bluetooth Hands-Free Set• Electronic Ignition System• Any many, many more !!!

Hard vs. Soft Real-Time Embedded Systems

• Hard deadline systems: missing a program/task execution time deadline can have catastrophic consequences (financial, human loss of life, etc.)

• Soft deadline systems: missing a dealine may not be critical and can be tolerated to a certain degree (e.g., VoIP)

Safety-Critical Embedded Systems• Usually are hard deadline systems• Must be extremely reliable and dependable (1 fault in 109

hours of operation)• Therefore the essential problem is:

How to assure their dependability?

Answer: Use hardware/software redundancy (replication)Redundancy idea: if one component fails then a spare can be

used as a replacement

Embedded System’s Main Components

Controller: local or a distributed if distributed then it must be connected into a network (e.g., a data bus)

Controlled object: physical, biological, or chemical process or object (e.g., combustion engine)

Controller Network ArchitecturesController A Controller B

Controller C Controller D

Hub/Switch/Router

Controller B

Controller C

Controller D

Controller A

Controller A Controller B

Controller C Controller D

Data bus

Star

RingHybrid types also possible!

Dependability Assurance• Based on the concept of

redundancy (i.e., replication of resources)

• Redundancy of time, space, or both

• Example: Dual channel data bus (i.e., space redundancy)

• Hardware or software

Controller A Controller B

Controller C Controller D

According to the author of [1] dependable embedded systems must support predictability, composibility, scalability, high performance, and security to assure safety – we focus on network predictability

Event-Triggered and Time-Triggered Design Paradigms

• Event-triggered system: actvities within the system (e.g., task run-times) are dynamic and depend upon occurence of different events and possibly their priorites

• Time-triggered system: activities within the system follow a statically computed schedule (i.e., they are allocated time slots during which they can take place) and thus by nature are predictable

Paradigm Relationship

• Event-triggered (ET) and time-triggered (TT) system design can relate to the operating system, application or communication (network) behavior mode (sporadic activity processing – ET or periodic activity processing –TT)

• Here we focus on the TT network’s main component known as medium access control (MAC) protocol layer

TT vs. ET Network Medium Access Control

Controller A Controller B

Controller C Controller D

mAETmC mB mD

mA mC mB mDTT

mA pmA < pmC

SlotA SlotC SlotB SlotD

time

ET: indeterministic delay due to message preemption (priority of message mA < mCand bus access conflict thus we must send again mA)

TT: bus access conflict problem avoided because each controller has an exclusive sending slot

TT MAC Properties • Based on global time synchronization• Send and receive time point of a message

known (deterministic)• No arbitration necessary, each node

(controller) gets a slice of the availabe bus access time interval but less flexible scheduling

Examples • TTCAN: based on CAN, master topology, no

redundancy support, data rate limited to 1 M bit/sec., ability to accomodate ET messages

• FlexRay: standarlized, 10 M bits/sec., synchronous and asynchronous transmission, scalable, redundancy support, verious topologies

• TTP: full redundacy managemtent, pure TT MAC, 25 M bits/sec., membership, cliqure avoidance, fault tolerant clock sync., shadow nodes - FGCU development cluster uses this protocol for each TTP node

• TTEthernet: time-triggered technology for the IEEE 802.3 (Ethernet) standard, high performance and TT determinism combined!

TTP Node• Host communicates only via the special memory interface known as CNI (no control signals passed via CNI -only data)

• TTP controller self-sync. via message descriptor list (MEDL)

• Bus guardian used to prevent unwanted, babbling idiotcommunication failures

TTP MEDL• MEDL = Message Descriptor List• Control information saved in TTP controller’s MEDL

data structure so that it can work without control signals from the host

• Data:- for each message (frame) its send time point and CNI address- for reception the CNI address and time point- additional control-flow information

TTP Frames• I-frames used for synchronization and

initialization• C-state used for current state broadcasting and

includes globa time stamp, MEDL position, and current mode of operation

• N-frame used to send application data• All frames contain a cyclic-redundancy-check

(CRC) for message error detection

TTP Cluster Cycle• Used to define time schedule for node bus access• A cycle contains several time-division-multiple-

access (TDMA) rounds• A TDMA round contains several slots• The message a node send in its slot varies in different

TDMA rounds• A node slot can be multiplexed (i.e., used by diferent

nodes in different TDMA rounds)

TTP/TTA Dependability Study• In [2] author performed validation of the TTP protocol via

software fault injection• He injected over 30 millions of faults into the protocol startup

algorithm, synchronization, acknowledgement service, clique avoidance algorithm, host interface layer, memory layer (MEDL) and checked if build-in error detection mechanisms detect these faults

• Conclusion: TTP protocol is immune to fail-silence violations in time domain. Morover, all value errors were detected by built-in error detection mechanisms

• Experiments in [2] thus validate the single-fault hypothesis: (no single fault affecting TTP system can go undetected)

Development Tools• TTP Plan: cluster, subsystem, message, message type, and

mode changes definition• TTP Build: design of a cluster, task schedule generation, fault

tolerant communication layer definition (DDB files) • TTP Load: Loads the DDB, S19 and MEDL into the cluster

nodes• Matlink for Matlab/Simulink: automatically generates

application target code (S19) via Real-Time Workbech and Embedded Coder (uses all of the three above TTP tools) from Simulink models

• TTP Disturbance Node: injects communication faults via XML scripts

• TTP View: allows monitoring of (cluster) node communication activity (i.e., messages, mode changes, etc.)

Summary• Time-triggered (TT) technology relates to the overall system

architecture (operating system, network, application)• TT paradigm more dominant in the safety-critical sector• TTA/TTP – fault tolerant TT network architecture and

communication protocol with over 20 years of research behind it (Tech. Univ. of Vienna, TTTech, and others) – FGCU also uses it!

• Applicability assessment of time-triggered and event-triggered technology is not trivial and depends on application’s time of activity (periodic, aperiodc, hybrid)

References[1] H. Kopetz: Real-Time Systems - Design Principles for

Distributed Embedded Applications; Kluwer Academic, Netherlands 1998.

[2] R. Hexel: Validation of Fault Tolerance Mechanisms in a Time Triggered Communication Protocol using Fault Injection; PhD Thesis, Technical University of Vienna, 1999.

[3] M. Bar: Embedded Systems Glossary; http://www.netrino.com/Embedded-Systems/Glossary

[4] J. Zalewski: Private communication with prof. Janusz Zalewski; Florida Gulf Coast University, Computer Science Department, USA, 2009.