Hermann Kopetz

TTP - A time-triggered protocol for fault-tolerant real-time systems

The Time-Triggered Protocol (TTP), which is intended for use in distributed real-time control applications that require a high dependability and guaranteed timeliness, is discussed. It integrates all services that are required in the design of a fault-tolerant real-time system, such as predictable message transmission, message acknowledgment in group communication, clock synchronization, membership, rapid mode changes, redundancy management, and temporary blackout handling. It supports fault-tolerant configurations with replicated nodes and replicated communication channels. TTP provides these services with a small overhead so it can be used efficiently on twisted pair channels as well as on fiber optic networks.

Temporal uncertainties in interactions among real-time objects

A model of a distributed real-time system which supports reasoning about the consistency and accuracy of real-time data and about the performance of real-time communication protocols is presented. The conventional object model is extended into a model of a real-time (RT-) object which incorporates a real-time clock as a mechanism for initiating an object action as a function of real time. The notion of accuracy as referring to the time gap between a state variable in the external world and its representation in a real-time computer system is adopted. The effects of the temporal uncertainties of different classes of communication protocols on the consistency and the accuracy of RT-objects are analyzed. Finally, an approach to structuring fault-tolerant RT-objects in the form of active object replicas is discussed, and the effects of a failure of a task in a replica on the responsiveness of remote objects are analyzed.<<ETX>>

A universal smart transducer interface: TTP/A

The primary goal of a universal smart transducer interface is the provision of a framework that helps to reduce the complexity of large distributed real-time systems by introducing precisely specified (in the value domain and in the temporal domain) and small interfaces between smart transducers and their users. This paper presents a universal smart transducer interface that can be implemented on top of different real-time communication systems. It integrates a time-triggered communication protocol with an interface file system that provides the sources and sinks for the exchanged information. The final section discusses an implementation of this interface on a low cost (less than 1

Tolerating transient faults in MARS

) commercial off the shelf microcontroller.

The design of real-time systems: from specification to implementation and verification

The concepts of transient fault handling in the MARS architecture are discussed. After an overview of the MARS architecture, the mechanisms for the detection of transient faults are discussed in detail. In addition to extensive checks in the hardware and in the operating system, time-redundant execution of application tasks is proposed for the detection of transient faults. The time difference between the effective and the maximum execution time of an application task is used for this purpose. Whenever a transient fault has been detected, the affected component is turned off and reintegrated immediately by retrieving the uncorrupted state of the actively redundant partner component. In order to reduce the probability of spare exhaustion (in the case of permanent faults) shadow components are introduced. The reliability improvement, which can be realized by these techniques, is calculated by detailed reliability models of the architecture, where the parameters are based on experimental results measured on the present MARS prototype implementation.<<ETX>>

A synchronization strategy for a time-triggered multicluster real-time system

Presents an engineering approach to the design of distributed real-time systems, which guarantee hard deadlines and can tolerate a specified set of faults. The methodology covers the stepwise refinement of the given requirements, expressed in the form of real-time transactions, to task and protocol executions. It also includes a timing analysis and dependability evaluation of the still incomplete design. The testability of the evolving system is considered to be of essential concern. A set of coherent tools for the support of the methodology is described in some detail. The methodology assumes that the runtime architecture is based on static scheduling, and a globally synchronised time-base is available to co-ordinate the system actions in the domain of real time.

A comparison of LIN and TTP/A

The provision of a system-wide global time base with a good precision and sufficient accuracy is a fundamental prerequisite for the design of a multicluster distributed real-time system. We investigate the issues of clock synchronization in a multicluster system, where every node can have a different oscillator. Based on the parameter of a typical automotive distributed system we show that a precision and accuracy in the second range is achievable without undue effort.

The design of large real-time systems: the time-triggered approach

The paper compares two novel field-bus protocols for low-cost single-chip smart sensor and actuator nodes, LIN and TTP/A. Both protocols are central-master UART protocols, where the master with its precise oscillator establishes the stable time-base required by the slaves to synchronize their imprecise on-chip oscillators. While LIN provides the basic services needed for real-time communication, the TTP/A standard additionally specifies an interface-file system to perform on-line configuration, diagnostics and maintenance of smart sensor nodes. With TTP/A it is thus possible to produce preprogrammed simple transducer nodes or generic smart transducer nodes that can be configured dynamically to the given application requirements.

Interface design for smart transducers

The time-triggered (TT) architecture approach supports the spatial partitioning of a large, distributed real-time system into a set of autonomous subsystems with small control-free data-sharing interfaces between them. This paper presents such a TT architecture and gives a detailed description of the interface between an autonomous time-triggered communication subsystem based on the TTP protocol and the host computer within a node of this architecture. This interface acts as a temporal firewall that eliminates the possibility of control error propagation from one subsystem to another subsystem. It thus facilitates the independent development and validation of the subsystems and supports the composability of the distributed architecture with respect to timeliness, validation, and certification.

The transparent implementation of fault tolerance in the time-triggered architecture

This paper describes design issues on smart transducer interfaces to hide the internal node properties and allow a decoupling of applications from communication properties like message timing, flow control and bus access. We present a smart transducer interface that incorporates three different interfaces (real-time service, diagnostic/maintenance, configuration/planning). Further decomposition of real-time systems can be provided by hiding the sensor properties from the application program. Therefore, a data structure that represents a model of the environment is introduced. This extra interface reduces the complexity of the application and enables reuse of the application code. Finally, an application of the presented concepts is described in a case study featuring a mobile robot.