Julian Proenza

An active star topology for improving fault confinement in CAN networks

The controller area network (CAN) is a field bus that is nowadays widespread in distributed embedded systems due to its electrical robustness, low price, and deterministic access delay. However, its use in safety-critical applications has been controversial due to dependability limitations, such as those arising from its bus topology. In particular, in a CAN bus, there are multiple components such that if any of them is faulty, a general failure of the communication system may happen. In this paper, we propose a design for an active star topology called CANcentrate. Our design solves the limitations indicated above by means of an active hub, which prevents error propagation from any of its ports to the others. Due to the specific characteristics of this hub, CANcentrate is fully compatible with existing CAN controllers. This paper compares bus and star topologies, analyzes related work, describes the CANcentrate basics, paying special attention to the mechanisms used for detecting faulty ports, and finally describes the implementation and test of a CANcentrate prototype.

Combining operational flexibility and dependability in FTT-CAN

The traditional approaches to the design of distributed safety-critical systems, due to fault-tolerance reasons, have mostly considered static cyclic table-based traffic scheduling. However, there is a growing demand for operational flexibility and integration, mainly to improve efficiency in the use of system resources, with the network playing a central role to support such properties. This calls for dynamic online traffic scheduling techniques so that dynamic communication requirements are adequately supported. Nevertheless, using dynamic traffic management mechanisms raises additional problems, in terms of fault-tolerance, related with the weaker knowledge of the future system state caused by the higher level of operational flexibility. Such problems have been recently addressed in the scope of using flexible time-triggered CAN (FTT-CAN) in safety-critical applications in order to benefit from the high operational flexibility of this protocol. This paper gathers and reviews the main mechanisms that were developed to provide dependability to the protocol, namely, master replication and fail-silence enforcement.

CANcentrate: an active star topology for CAN networks

Distributed embedded systems that require real-time performance need a network capable of deterministic access delay. CAN is one such network that became widespread in recent years due to its electrical robustness, low price, and priority-based access control. However, its use in safety-critical applications has been controversial due to dependability limitations that arise from its bus topology and non-guaranteed atomic broadcast. In this paper, we propose an active star topology that allows solving many of the limitations related to the first aspect by means of strong error confinement. Nodes are interconnected through an active hub that is fully compatible with existing CAN controllers. The paper compares bus and star topologies, analyzes related work and discusses the hub implementation and dependability properties.

ReCANcentrate: a replicated star topology for CAN networks

Controller area network (CAN) is nowadays widespread in distributed embedded systems due to its electrical robustness, low price, and deterministic access delay. However, its use in safety-critical applications has been controversial due to dependability limitations. In particular, in a CAN bus there are multiple components such that a single fault of any of them can prevent the communication capabilities of several nodes and may provoke a general failure of the communication system, i.e. there are multiple severe points of failure. In Barranco, M et al., (2004) we proposed a new active star topology, called CANcentrate, that solves these limitations by means of an active hub with enhanced fault-treatment capabilities. However, the center of the star still represents a severe point of failure, thus not being suitable for more demanding safety-critical systems. In this paper, we propose a replicated star topology, called ReCANcentrate, which has no severe points of failure and is fully compatible with existing CAN controllers. The paper analyzes related work, describes the CANcentrate basics, explains the design and functionalities of ReCANcancentrate, and finally describes the implementation and test of its prototype

Orthogonal, Fault-Tolerant, and High-Precision Clock Synchronization for the Controller Area Network

The controller area network (CAN) is facing a great opportunity. The maturity of this technology makes many researchers believe that CAN may be adopted in more critical systems. However, the suitability of CAN for these challenging applications strongly depends on our capacity to integrate all the solutions already available into a single, comprehensive architecture. We claim that clock synchronization plays a fundamental role in such architecture. Therefore, the means to achieve a solution fulfilling the expected requirements on reliability, cost, and precision must be deeply investigated. This paper discusses the relevance of clock synchronization in the future of CAN systems and describes a novel solution to supply this service. This solution exhibits several advantages: it provides very high precision, causes very low communication and computation overhead, and includes mechanisms to provide fault tolerance. Moreover, and in contrast to previous proposals, it is designed to be orthogonal to the rest of the system. Thus, it can be directly incorporated to any CAN system, without having to replace any of the components, which reduces the cost increment caused by the new service.

Towards a Flexible Time-Triggered replicated star for ethernet

Distributed embedded systems have traditionally been designed using static approaches, i.e., assuming a static environment. Such approaches, however, cannot guarantee continuous operation under dynamic environments that impose new requirements upon a system as time passes. As a solution, flexible approaches have been proposed. One such approach that allows a system to adapt to changing real-time requirements is the Flexible Time-Triggered (FTT) communication paradigm. Nevertheless, if continuous operation under dynamic environments is desired, then flexibility is not enough. Indeed, it is also crucial for the system to be sufficiently reliable. In this paper we therefore explore some design ideas to make FTT highly reliable through fault tolerance by using replication. As a starting point we will use the switch of the Hard Real-Time Ethernet Switching (HaRTES) implementation of FTT.

Boosting the Robustness of Controller Area Networks: CANcentrate and ReCANcentrate

This paper discusses two proposed star architectures for systems based on the controller area network (CAN) protocol aim to improve CANs error containment and fault tolerance for general distributed embedded systems and safety-critical applications.

The design of the CANbids architecture

Despite the significant advantages of the Controller Area Network (CAN) there is an extended belief that CAN is not suitable for critical applications, mainly because of several dependability limitations. During the CANbids project each one of these limitations has been addressed and a complete architecture for CAN-based fault-tolerant systems has been devised. This architecture allows building highly-reliable systems. This paper describes the design of such an architecture and the prototyping of its fundamental parts.

An architecture for physical injection of complex fault scenarios in CAN networks

It has been reported that some particular fault scenarios may cause malfunction of the controller area network protocol. Although such scenarios are very unlikely, they become relevant when attempting to use the CAN protocol for critical applications. The fault injector described in this paper induces these fault scenarios at the physical layer of the CAN protocol by means of a software tool and a set of specifically designed circuits. Therefore, and in contrast to previous solutions, this fault injector is suitable to evaluate most of the dependability mechanisms that have been proposed for CAN networks.

Using UPPAAL to model and verify a clock synchronization protocol for the controller area network

A reported liability of the controller area network protocol is that it does not provide a clock synchronization service. Therefore, whenever a CAN-based distributed embedded system requires its nodes to have a common time base, clock synchronization has to be implemented by means of an external mechanism. In a previous work, we proposed a fault-tolerant and high-precision clock synchronization protocol for CAN. This paper shows the first steps towards the formal verification of this protocol. In particular, it presents a formal model that has been built with the UPPAAL model checker and discusses how clock drift and clock correction can be modeled with this tool