Guillermo Rodriguez-Navas

Probabilistic analysis of CAN with faults

As CANs (controller area networks) are being increasingly used in safety-critical applications, there is a need for accurate predictions of failure probability. In this paper we provide a general probabilistic schedulability analysis technique which is applied specifically to CANs to determine the effect of random network faults on the response times of messages. The resultant probability distribution of response times can be used to provide probabilistic guarantees of real-time behaviour in the presence of faults. The analysis is designed to have as little pessimism as possible but never be optimistic. Through simulations, this is shown to be the case. It is easy to apply and can provide useful evidence for justification of an event-triggered bus in a critical system.

An active star topology for improving fault confinement in CAN networks

The controller area network (CAN) is a field bus that is nowadays widespread in distributed embedded systems due to its electrical robustness, low price, and deterministic access delay. However, its use in safety-critical applications has been controversial due to dependability limitations, such as those arising from its bus topology. In particular, in a CAN bus, there are multiple components such that if any of them is faulty, a general failure of the communication system may happen. In this paper, we propose a design for an active star topology called CANcentrate. Our design solves the limitations indicated above by means of an active hub, which prevents error propagation from any of its ports to the others. Due to the specific characteristics of this hub, CANcentrate is fully compatible with existing CAN controllers. This paper compares bus and star topologies, analyzes related work, describes the CANcentrate basics, paying special attention to the mechanisms used for detecting faulty ports, and finally describes the implementation and test of a CANcentrate prototype.

Combining operational flexibility and dependability in FTT-CAN

The traditional approaches to the design of distributed safety-critical systems, due to fault-tolerance reasons, have mostly considered static cyclic table-based traffic scheduling. However, there is a growing demand for operational flexibility and integration, mainly to improve efficiency in the use of system resources, with the network playing a central role to support such properties. This calls for dynamic online traffic scheduling techniques so that dynamic communication requirements are adequately supported. Nevertheless, using dynamic traffic management mechanisms raises additional problems, in terms of fault-tolerance, related with the weaker knowledge of the future system state caused by the higher level of operational flexibility. Such problems have been recently addressed in the scope of using flexible time-triggered CAN (FTT-CAN) in safety-critical applications in order to benefit from the high operational flexibility of this protocol. This paper gathers and reviews the main mechanisms that were developed to provide dependability to the protocol, namely, master replication and fail-silence enforcement.

Timing Analysis of Real-Time Communication Under Electromagnetic Interference

This paper discusses aspects of dependability of real-time communication. In particular, we consider timing behaviour under fault conditions for Controller Area Network (CAN) and the extension Time-triggered CAN (TTCAN) based on a time-driven schedule. We discuss the differences between these buses and their behaviour under electromagnetic interference. We present response timing analyses for CAN and TTCAN in the presence of transient network faults using a probabilistic fault model where random faults from electromagnetic interference occur. The CAN analysis provides a probability distribution of worst case response times for message frames. The results indicate that CAN may generally provide a higher probability of delivering messages on time than TTCAN. The CAN analysis result is used to discuss an approach to implementing a bus guardian for event-triggered systems.

CANcentrate: an active star topology for CAN networks

Distributed embedded systems that require real-time performance need a network capable of deterministic access delay. CAN is one such network that became widespread in recent years due to its electrical robustness, low price, and priority-based access control. However, its use in safety-critical applications has been controversial due to dependability limitations that arise from its bus topology and non-guaranteed atomic broadcast. In this paper, we propose an active star topology that allows solving many of the limitations related to the first aspect by means of strong error confinement. Nodes are interconnected through an active hub that is fully compatible with existing CAN controllers. The paper compares bus and star topologies, analyzes related work and discusses the hub implementation and dependability properties.

Comparing real-time communication under electromagnetic interference

The contribution of this paper is threefold. First, an improvement to a previously published paper on the timing analysis of controller area network (CAN) in the presence of transient network faults is presented. A probabilistic fault model is considered, where random faults from electromagnetic interference occur according to a Poisson distribution. The analysis provides worst case response times for message frames, not as a single value, but as a probability distribution. Secondly, a similar result is produced for time-triggered CAN (TTCAN), a version of CAN based on time-driven schedule. Thirdly, these analyses are applied to an example message set and used to discuss the dependability of event-triggered and time-triggered communication in the presence of electromagnetic interference. The results indicate that, an event-triggered bus can generally provide a higher probability of timely-delivery of data than a time-triggered bus.

Reassessing the Pattern-Based Approach for Formalizing Requirements in the Automotive Domain

The importance of using formal methods and techniques for verification of requirements in the automotive industry has been greatly emphasized with the introduction of the new ISO26262 standard for road vehicles functional safety. The lack of support for formal modeling of requirements still represents an obstacle for the adoption of the formal methods in industry. This paper presents a case study that has been conducted in order to evaluate the difficulties inherent to the process of transforming the system requirements from their traditional written form into semi-formal notation. The case study focuses on a set of non-structured functional requirements for the Electrical and Electronic (E/E) systems inside heavy road vehicles, written in natural language, and reassesses the applicability of the extended Specification Pattern System (SPS) represented in a restricted English grammar. Correlating this experience with former studies, we observe that, as previously claimed, the concept of patterns is likely to be generally applicable for the automotive domain. Additionally, we have identified some potential difficulties in the transformation process, which were not reported by the previous studies and will be used as a basis for further research.

Orthogonal, Fault-Tolerant, and High-Precision Clock Synchronization for the Controller Area Network

The controller area network (CAN) is facing a great opportunity. The maturity of this technology makes many researchers believe that CAN may be adopted in more critical systems. However, the suitability of CAN for these challenging applications strongly depends on our capacity to integrate all the solutions already available into a single, comprehensive architecture. We claim that clock synchronization plays a fundamental role in such architecture. Therefore, the means to achieve a solution fulfilling the expected requirements on reliability, cost, and precision must be deeply investigated. This paper discusses the relevance of clock synchronization in the future of CAN systems and describes a novel solution to supply this service. This solution exhibits several advantages: it provides very high precision, causes very low communication and computation overhead, and includes mechanisms to provide fault tolerance. Moreover, and in contrast to previous proposals, it is designed to be orthogonal to the rest of the system. Thus, it can be directly incorporated to any CAN system, without having to replace any of the components, which reduces the cost increment caused by the new service.

The design of the CANbids architecture

Despite the significant advantages of the Controller Area Network (CAN) there is an extended belief that CAN is not suitable for critical applications, mainly because of several dependability limitations. During the CANbids project each one of these limitations has been addressed and a complete architecture for CAN-based fault-tolerant systems has been devised. This architecture allows building highly-reliable systems. This paper describes the design of such an architecture and the prototyping of its fundamental parts.

An architecture for physical injection of complex fault scenarios in CAN networks

It has been reported that some particular fault scenarios may cause malfunction of the controller area network protocol. Although such scenarios are very unlikely, they become relevant when attempting to use the CAN protocol for critical applications. The fault injector described in this paper induces these fault scenarios at the physical layer of the CAN protocol by means of a software tool and a set of specifically designed circuits. Therefore, and in contrast to previous solutions, this fault injector is suitable to evaluate most of the dependability mechanisms that have been proposed for CAN networks.