Donal Heffernan

TTCAN: a new time-triggered controller area network

Abstract The controller area network (CAN) communications protocol is used extensively in the automotive and industrial control sectors. Much work has been done to establish the bounded response time of transmissions in an event-triggered CAN. However, a new time-triggered architecture for CAN is being developed and will soon be available on the market. This new control network, referred to as time-triggered controller area network, defines a session layer protocol for CAN, which is based on a static schedule time-triggered paradigm and provides intrinsic deterministic behaviour. This paper describes the new protocol and provides some practical performance equations to calculate utilisation limits for this control network.

Runtime verification and monitoring of embedded systems

Ensuring the correctness of software applications is a difficult task. The area of runtime verification, which combines the approaches of formal verification and testing, offers a practical but limited solution that can help in finding many errors in software. Runtime verification relies upon tools for monitoring software execution. There are particular difficulties with regard to monitoring embedded systems. The concerns for arranging non-intrusive monitoring of embedded systems in a way that is suitable for use in runtime verification methods are considered here. A number of existing runtime verification tools are referenced, highlighting their requirement for monitoring solutions. Established and emerging approaches for the monitoring of software execution using execution monitors are reviewed, with an emphasis on the approaches that are best suited for use with embedded systems. A suggested solution for non-intrusive monitoring of embedded systems is presented. The conclusions summarise the possibilities for arranging non-intrusive monitoring of embedded systems, and the potential for runtime verification to utilise such monitoring approaches.

A time-triggered transducer network based on an enhanced IEEE 1451 model

Abstract The IEEE 1451 set of standards defines an architectural model for interfacing multiple ‘smart transducers’ in a distributed environment, which can gate to a fieldbus or local area network. However, the IEEE 1451 standards do not support strict real-time message scheduling within the transducer cluster environment. This work proposes that a time-triggered control network, TTCAN (time-triggered controller area network), be employed as the multiplexed interface for smart transducers. Such a development would allow a deterministic control message scheduling matrix to be defined so that all transducer message scheduling can be guaranteed. The proposal effectively changes the IEEE 1451 architecture from an event-driven system to a true time-driven system. The existing set of IEEE 1451 standards are briefly reviewed and the new TTCAN control network is described. A complete prototype design implementation of the proposed system is presented. The prototype system demonstrates that the concept is feasible and workable. Time-triggered networks are synchronous control networks where the scheduling of control messages is progressed, based strictly on the passage of time, based on the networks sense of global time. Such time-triggered networks are being developed primarily for the automotive industry to support reliable scheduling for safety-critical control systems such as brake-by-wire and steer-by-wire systems. This work shows that it is now possible to apply such time-triggered paradigms to general transducer interfacing environments.

A comparison of fault-tolerance concepts for IEEE 802.1 Time Sensitive Networks (TSN)

With Audio and Video Bridging (AVB), the Institute of Electrical and Electronics Engineers (IEEE) AVB task group introduced Real-Time capabilities to Ethernet based on IEEE 802 Standards. As AVB was conceived with a focus on home and professional audio and video transmissions, some mandatory aspects for the application in industrial control networks are not covered. Under the name of Time-Sensitive Networking (TSN), second generation AVB standards are being developed to address the requirements of industrial automation and control networks, and automotive in-vehicle networks. One of the mandatory requirements addressed by TSN is a redundancy feature to achieve fault tolerance. This paper compares two methods for implementing fault-tolerant networks with the stream registration mechanisms that are planned for TSN.

Modeling and Verification of a Time-triggered Networking Protocol

Analysis estimates that more than 80% of all current innovations within vehicles are based on distributed electronic systems. Critical to the functionality and application domain of such systems is the underlying communication network. Current advances in control networking technology indicate that time-triggered architectures offer improvements in deterministic behaviour, which are particularly appropriate for safety-critical and real-time applications. Here we present novel work on the formal specification and formal verification of a timetriggered protocol: ISO 11898-4 - Time Triggered communication on the Controller Area Network (TTCAN)®. This work has been carried out using the UPPAAL model checker based tool set which is capable of verifying safety properties as formalised by simple reachability properties. These verifiable properties are a subset of those possible in a full realisation of Timed Computation Tree Logic (TCTL). Three TTCAN network automata and a medium automaton were designed. Nine properties including deadlock were examined. The results provide a high degree of confidence in the correctness of the TTCAN protocol specification. The formal verification research work described here was conducted in parallel with the preparation of the ISO standard protocol specification for TTCAN.

Runtime verification monitoring for automotive embedded systems using the ISO 26262 functional safety standard as a guide for the definition of the monitored properties

The ISO 26262 Road vehicles Functional Safety Standard is intended to guide the derivation of appropriate requirements and processes for avoiding systematic and/or random failures in automotive electrical/electronic equipment. Functional safety statements can be captured in the requirements specifications for automotive embedded control units and systems. However, the process of verifying the behaviour of resulting products continues to be incomplete; because embedded programme verification is unsolvable in general. This study shows that it is possible to monitor some proof obligations in the testing phase, or even in the actual operating phase of a system by the use of an on-chip, real-time runtime verification monitor. In this work, the ISO 26262 standard for functional safety is used to guide the definition of the functional safety requirements for a product, and the specific requirements are mapped to logic formulae, such that the actual runtime behaviour of the system for selected properties can be formally verified throughout the lifetime of a product. A case study example for an automotive gearbox control system is presented to demonstrate the feasibility of the scheme. The monitor is constructed as a permanent feature within an integrated circuit that can continuously observe the systems runtime behaviour.

Clock synchronisation on multiple TTCAN network channels

Abstract The Controller Area Network (CAN) is a well established control network for automotive and automation control applications. Time-Triggered Controller Area Network (TTCAN) is a recent development which introduces a session layer, for message scheduling, to the existing CAN standard, which is a two layer standard comprising of a physical layer and a data link layer. TTCAN facilitates network communication in a time-triggered fashion, by introducing a Time Division Multiple Access style communication scheme. This allows deterministic network behaviour, where maximum message latency times can be quantified and guaranteed. However, for safety-critical applications the market requires fault-tolerant control networks, which support spatial redundancy. The TTCAN standard does not support such built-in redundancy. This paper proposes a prototype design implementation for a synchronisation layer between two or more independent TTCAN network channels. This synchronisation layer can be used as a building block for network redundancy leading to a fault-tolerant network architecture by introducing related and comparable message transmissions on multiple network channels. This leads to improved error tolerance and also facilitates increased bandwidth by running multiple synchronised TTCAN network channels in parallel.

Monitoring embedded software timing properties with an SoC-resident monitor

Many safety-critical software applications are hard real-time systems. They have stringent timing requirements that have to be adhered to. Functional timing requirements need to interact properly with performance timing requirements. A novel runtime monitor that can check for proper timing behaviour of software, in the actual implementation environment, is presented. The monitor can be synthesised from the software-s timing requirements specification and instantiated in the programmable digital logic of a system on chip (SoC)-based device. Since the monitor is synthesised from the program-s requirements, new monitors can be automatically generated for new programs. Since the SoC-based monitor is deeply embedded, it can operate at the full processor speed and will have access to the internal registers of the processing system. A low gate count, non-invasive monitor is achievable. A case study example, based on a design for an electronic automotive gear controller system, is presented. The study shows that the monitor is capable of detecting program timing violations, in the implementation environment, even though the software design had been properly verified against stated requirements. The monitor scheme can be used as a supplementary test solution or the monitor can be built into a product for lifetime monitoring of timing behaviour, so as to enhance the product-s reliability.

Fault-tolerant Ethernet networks with Audio and Video Bridging

Industrial Ethernet networks are now a common feature on todays factory floors. Vendor-specific technologies, such as Profinet IRT, have demonstrated Ethernet networks with hard real-time (RT) properties. Specified by the IEEE, the Audio and Video Bridging (AVB) technology promises a standardized approach to RT Ethernet. However, AVB has been conceived for other application fields, e.g. home entertainment systems. Several aspects necessary for AVBs potential use in industrial automation solutions are not covered by the standard. One important aspect is the usage of redundant communication paths to increase fault tolerance. In this paper, a method of achieving redundancy with AVB is proposed. It has been verified through simulation and has been proposed to the AVB Task Group for use in future revisions of the standard.

A runtime verification monitoring approach for embedded industrial controllers

Complexity in industrial control systems has grown exponentially during the past decade. The reliability of such systems is dependant on trustable embedded controllers. The design of such embedded controllers is moving towards reliability-centric hardware/software co-design frameworks. This paper proposes a novel approach to the development of such embedded controllers, by proposing a special embedded monitoring scheme. An experimental evaluation framework is described that supports runtime verification of a software application executing in an embedded system, where the processor is a Java Optimised Processor (JOP) soft processor, instantiated in the fabric of an FPGA (field programmable gate array). The experimental system employs the Java-MaC (Java Monitoring and Checking) runtime verification method, arranged to indirectly monitor the execution behaviour of the application software in its native environment. A case study example is described, which demonstrates the verification of a condition for a software model of a railroad crossing system. The example shows that such a runtime verification scheme can be used effectively as a software testing approach for such a specialised embedded controller. The issues of how to minimise the overhead impact of the monitoring scheme and how to provide an interface for the monitor are considered.